SOX Audit gone too far?
Our company has recently been the victim of a SOX audit because we are part of a publicly traded enterprise. Usually a SOX auditors goal is to make sure a company is complying with a set security standards to prevent data breaches. There were two applications that they required us to have users change their password every 90 days and make them more complex. As a systems administrator I was ok with that since I don't work on the applications that much and when I do need someones login I can just look it up in the database. I was glad they didn't put these same requirements on our Active Directory. But now, almost a month after the first directives, they are wanting us to make our active directory passwords expire as well! This is a problem because we regularly have to log in as the particular user (by referencing off a sheet) to fix peoples machines or login to their email client to set up their machine. So basically if we need to get into someones account we will have to re-set it meaning they won't be able to login. This will cause another help desk call because now people can't check their mail either. Not to mention if someone locks their computer doesn't the workstation cache the NTLM of the login credentials so even if we did change the password on AD we would could still not unlock the workstation. On top of that peoples phones won't sync when a password change has occurred and they probably won't know about it.
My main question is, is there any way to get around the SOX requirements since there is no official SOX IT security specifications defined? The changes will hurt our business and it doesn't seem to me like the auditors are doing the job they are supposed to do.
My main question is, is there any way to get around the SOX requirements since there is no official SOX IT security specifications defined? The changes will hurt our business and it doesn't seem to me like the auditors are doing the job they are supposed to do.
ASKER
We assign them a username and password. When we need to log in as them we reference the sheet. Before I came to the company I thought it was a bad idea but I have come to require it for setting up peoples profiles.
Another thing I just thought of is that they are also going to require a 3 login attempts lockout on domain accounts as well. This means every time they change their password they will get immediately locked out since their smart phones are set to auto-sync with their domain account.
I've even been to government organizations with sensitive data that didn't require domain password changes (but the mainframe did). Is it really all that normal for this to be implemented?
Another thing I just thought of is that they are also going to require a 3 login attempts lockout on domain accounts as well. This means every time they change their password they will get immediately locked out since their smart phones are set to auto-sync with their domain account.
I've even been to government organizations with sensitive data that didn't require domain password changes (but the mainframe did). Is it really all that normal for this to be implemented?
Yep this is all normal and is best practices aside from any audit being done.
You had the right idea about handling users and passwords this way is a bad idea.
Not to be rude, but I don't even know where to start to help you fix all of this... there is a lot that you are doing but should not be. I foresee many new questions to EE in your future.
One of the first steps should probably be to setup some domain admin accounts and stop logging into users accounts, as well as stop keeping a password list (haven't you seen Wargames? ;) )
SOX audits suck, but in the end what they require is usually something you should be doing anyways, and that most definitely applies to this particular case.
You had the right idea about handling users and passwords this way is a bad idea.
Not to be rude, but I don't even know where to start to help you fix all of this... there is a lot that you are doing but should not be. I foresee many new questions to EE in your future.
One of the first steps should probably be to setup some domain admin accounts and stop logging into users accounts, as well as stop keeping a password list (haven't you seen Wargames? ;) )
SOX audits suck, but in the end what they require is usually something you should be doing anyways, and that most definitely applies to this particular case.
ASKER
Well yes we have domain admin accounts but how would you diagnose a problem that's only happening one one persons user account that isn't in the building? If this were Linux it would be a non-issue with the switch user command but Windows is completely different in that an authentication token is more than a username.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Makes sense. I guess the big question is how fast they are going to push this on us.
What they are asking is normal for SOX compliance.
Do you really have a list someplace of usernames and passwords for all your users?