?
Solved

SOX Audit gone too far?

Posted on 2011-10-19
6
Medium Priority
?
322 Views
Last Modified: 2012-05-12
Our company has recently been the victim of a SOX audit because we are part of a publicly traded enterprise. Usually a SOX auditors goal is to make sure a company is complying with a set security standards to prevent data breaches. There were two applications that they required us to have users change their password every 90 days and make them more complex. As a systems administrator I was ok with that since I don't work on the applications that much and when I do need someones login I can just look it up in the database. I was glad they didn't put these same requirements on our Active Directory. But now, almost a month after the first directives, they are wanting us to make our active directory passwords expire as well! This is a problem because we regularly have to log in as the particular user (by referencing off a sheet) to fix peoples machines or login to their email client to set up their machine. So basically if we need to get into someones account we will have to re-set it meaning they won't be able to login. This will cause another help desk call because now people can't check their mail either. Not to mention if someone locks their computer doesn't the workstation cache the NTLM of the login credentials so even if we did change the password on AD we would could still not unlock the workstation. On top of that peoples phones won't sync when a password change has occurred and they probably won't know about it.

My main question is, is there any way to get around the SOX requirements since there is no official SOX IT security specifications defined? The changes will hurt our business and it doesn't seem to me like the auditors are doing the job they are supposed to do.
0
Comment
Question by:jpwallen
  • 3
  • 3
6 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36995329
If the auditors require it before signing off, then there isn't much you can do about it if you want them to certify you.

What they are asking is normal for SOX compliance.

This is a problem because we regularly have to log in as the particular user (by referencing off a sheet) to fix peoples machines or login to their email client to set up their machine.

Do you really have a list someplace of usernames and passwords for all your users?
0
 
LVL 1

Author Comment

by:jpwallen
ID: 36995586
We assign them a username and password. When we need to log in as them we reference the sheet. Before I came to the company I thought it was a bad idea but I have come to require it for setting up peoples profiles.

Another thing I just thought of is that they are also going to require a 3 login attempts lockout on domain accounts as well. This means every time they change their password they will get immediately locked out since their smart phones are set to auto-sync with their domain account.

I've even been to government organizations with sensitive data that didn't require domain password changes (but the mainframe did). Is it really all that normal for this to be implemented?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36995626
Yep this is all normal and is best practices aside from any audit being done.

You had the right idea about handling users and passwords this way is a bad idea.

Not to be rude, but I don't even know where to start to help you fix all of this...  there is a lot that you are doing but should not be.  I foresee many new questions to EE in your future.

One of the first steps should probably be to setup some domain admin accounts and stop logging into users accounts, as well as stop keeping a password list (haven't you seen Wargames? ;) )

SOX audits suck, but in the end what they require is usually something you should be doing anyways, and that most definitely applies to this particular case.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 1

Author Comment

by:jpwallen
ID: 36995860
Well yes we have domain admin accounts but how would you diagnose a problem that's only happening one one persons user account that isn't in the building? If this were Linux it would be a non-issue with the switch user command but Windows is completely different in that an authentication token is more than a username.
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 2000 total points
ID: 36995899
I'm sure there are better ways to accomplish that, and that is a perfect example of one of the new EE questions I foresaw in your future ;)

Considering that a vast majority of AD admins do not know or keep a list of users passwords, I expect you will get fast replies to your questions.
0
 
LVL 1

Author Closing Comment

by:jpwallen
ID: 36996106
Makes sense. I guess the big question is how fast they are going to push this on us.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question