Shared ID password change timeliness 2218



  • I am in the situation of trying to determine the timeliness of a password change.
    The Admin ID is set to change every 45 days. We have a limited number with access to that password, and the list is reviewed quarterly.
    One Admin with knowledge of the password left the company under good terms. The team did not change the password because as soon as the person left, a second Admin put in their 2-week notice.
    The team wants to wait until the second person leaves before changing the password on the 800 servers due to the amount of time it takes to actually change the password. It’s a somewhat manual process, with small portions of it being automated.
    Has anyone run into this? Would this fail based on the 2 weeks it was not changed after the first admin left?



  • Can that system be accessed on the internet, or can the former admin otherwise gain access without being physically on-site? If not, I would say that is a mitigating control in the interim.



  • ^ Agreed - as you should make certain all VPN or Internet based access is disabled for the 1st admin and later for the 2nd admin once they are no longer supporting this environment. With the 1st admin leaving on good terms, there’s probably no real exposures there. However, this may not look good on an audit checklist if discovered. Still if being physically on-site is a mitigating control, this also helps contain the risks (and if so, it’s most likely not a major SOX failure).
    Hopefully, no more admins will leave in the near term. When an admin leaves the company, it’s always a best practice to change major passwords immediately, (and usually it’s an IT audit requirement as well). Still sometimes based on circumstances, the gold standard can be missed occasionally.



  • Best practice would not allow any sharing of passwords. However, there are a few applications that do not yet allow more than one user to have admin-level access. In that case, you should have identified compensating controls that help to ensure that adequate SOD still exists, that admin-level changes to the impacted systems are authorized and that only authorized individuals have system access.
    Risk is a subjective matter. We all have different tolerances for risk. We also need to take a cost/benefit approach to establishing effective controls so that we are not spending USD100 to mitigate USD100 or less of risk.


Log in to reply