H
P.S. I greatly respect the knowledge of gmerkl, Denis, kymike, NC, and others who are truly experts here. Please keep in mind that Sarbanes-Oxley is written at a very high level and in a way that is flexible for a wide range of companies, IT systems, and workflow requirements.
There are no absolutes on some of these issues. SOX is a risk assessment exercise, rather than a template of ‘do’s’ and ‘dont’s’. This is why some companies can go to extremes in one area and miss something in another area. For example, I’ve seen one company go out of their way with highly inefficient procedures, because they felt they couldn’t rely on electronic timestamps – and they had to have a paper copy to back it up.
I can even see possible exceptions for non-expiring passwords even (e.g., maybe an internal use only web app that’s not critical and highly public?). But to me, it would be the exception, and I would err on the side of rotating passwords where possible. That’s why I replied YES in my answer above - you want to keep this at a minimum as it’s not a best security practice (and if audit was convinced it were a material risk, it could lead to comments shared with Sr Mgt)
RECOMMENDATION: I’ve always recommended that folks check with their SOX Auditors as well for advice, as your mileage can vary on what is truly a material risk or not. They are the ones that are either going to pass or fail these types of situations to senior managment.