Does password sharing in international branches violate SOX?

Does password sharing in international branches violate SOX?

I worked for an NYSE-listed company. Our IT contractors in India were using each other's passwords, which I believe is a clear violation of SOX. I gave substantial proof to my IT manager. He did not take any actions against the contractors in India. What should I do? Is it indeed a SOX violation, and what are the implications?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The Sarbanes Oxley Act of 2002 does not explicitly address password management. Section 404, perhaps the law's most notorious clause which deals with the internal controls required for financial reporting, states that it is "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting." If password sharing and the process and controls around it are documented, and the risk associated with this practice is accepted formally by the business, there is no need to interject yourself into the situation.

If this is not the case, the manager may not understand the risks associated with password sharing. I recommend drafting a document to share with management that identifies the threats associated with password sharing and the consequences of those threats being realized in real-world terms.

The document should not only include the possible business effect and real-world repercussions, but also the appropriate process for account management that should be in place, namely one account for each individual. As an information security professional, urge the manager to contribute to the document and reach out to the business line to consult with them on putting proper account management or formally documenting their acceptance of this risk.

In general though, the practice of password sharing is inappropriate and represents risk to the organization because there is no accountability. One way to curtail it is to collect some user authentication data, such as city of birth and mother's maiden name, for all contractors. When the contractor calls in to reset his or her password, the help desk can ask for this information and compare the answers. This gives more assurance that the person calling is the owner of the ID.

More information:

This was first published in December 2008