When it comes to IT controls, auditors look to see if policies and procedures are in place to protect sensitive...
customer and financial data. Proof of these controls is enshrined in documentation outlining IT security policies, procedures and how data is protected. These safeguards could include access control, encryption, firewall architectures and virus protection. Your auditors are probably concerned that using the Administrator account is a weak form of server access control. They probably think these servers contain sensitive financial information that, if not properly secured, could be compromised.
Auditors love paper, and the best way to change the policy you described is to perform a thorough risk analysis of your servers and the data they host. If you can prove to the auditors -- and document it with the risk analysis -- that the data isn't sensitive and there's a low risk of exposure, you may be able to keep using the Administrator account, but plan carefully. Ask yourself the following questions: What data do these servers host? How sensitive is it? Is it confidential customer information, insider financial reports or harmless marketing data for projecting sales? Is use of the servers limited to a small group or widespread throughout your enterprise?
Again, auditors love paper, so whatever you do, document it.
Dig Deeper on Sarbanes-Oxley Act
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.