Are uknown system IDs an operating deficiency? 1704



  • Is it a deficiency when a company use a system (for example ADP, Great Plains) and there are users defined in these systems that neither the system administrator, nor the data owner knows the use of these IDs? These IDs could have been established at the installation time, however since the admin has changed since nobody knows what their use is.
    Thanks



  • I would say that it is a deficiency if there is a regular review of user access and the unidentified user names are not removed. If they are noted as of the first access review and removed, then the access review as a control is working (at least for that aspect of it).



  • I also believe these ‘stale’ accounts are an issue, esp. as they relate to SOX 404 IT controls for financial systems. For example in a rare case of fraud, an ADMIN might leave open some ‘spare’ accounts, which could provide a backdoor into the system. But in your case, it’s probably just the need to clean up old history (e.g., special installation or test accounts).
    As these may or may not be Windows Systems accounts working in conjunction with the software, it might be a good approach to lock/de-active these for a period of time (e.g., 30 or 90 days). This might be safer than deleting system accounts and then having to recreate these from scratch with all the associated security rights.
    The IT department could also check vendor documentation or with the vendors themselves to see if they know the purposes of these account.


Log in to reply