SOX Audit gone too far?
Posted on 2011-10-19
Our company has recently been the victim of a SOX audit because we are part of a publicly traded enterprise. Usually a SOX auditors goal is to make sure a company is complying with a set security standards to prevent data breaches. There were two applications that they required us to have users change their password every 90 days and make them more complex. As a systems administrator I was ok with that since I don't work on the applications that much and when I do need someones login I can just look it up in the database. I was glad they didn't put these same requirements on our Active Directory. But now, almost a month after the first directives, they are wanting us to make our active directory passwords expire as well! This is a problem because we regularly have to log in as the particular user (by referencing off a sheet) to fix peoples machines or login to their email client to set up their machine. So basically if we need to get into someones account we will have to re-set it meaning they won't be able to login. This will cause another help desk call because now people can't check their mail either. Not to mention if someone locks their computer doesn't the workstation cache the NTLM of the login credentials so even if we did change the password on AD we would could still not unlock the workstation. On top of that peoples phones won't sync when a password change has occurred and they probably won't know about it.
My main question is, is there any way to get around the SOX requirements since there is no official SOX IT security specifications defined? The changes will hurt our business and it doesn't seem to me like the auditors are doing the job they are supposed to do.