The Sarbanes Oxley Act of 2002 does not explicitly address password management. Section 404, perhaps the law's most notorious clause which deals with the internal controls required for financial reporting, states that it is "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting." If password sharing and the process and controls around it are documented, and the risk associated with this practice is accepted formally by the business, there is no need to interject yourself into the situation.
If this is not the case, the manager may not understand the risks associated with password sharing. I recommend drafting a document to share with management that identifies the threats associated with password sharing and the consequences of those threats being realized in real-world terms.
The document should not only include the possible business effect and real-world repercussions, but also the appropriate process for account management that should be in place, namely one account for each individual. As an information security professional, urge the manager to contribute to the document and reach out to the business line to consult with them on putting proper account management or formally documenting their acceptance of this risk.
In general though, the practice of password sharing is inappropriate and represents risk to the organization because there is no accountability. One way to curtail it is to collect some user authentication data, such as city of birth and mother's maiden name, for all contractors. When the contractor calls in to reset his or her password, the help desk can ask for this information and compare the answers. This gives more assurance that the person calling is the owner of the ID.
Dig Deeper on Security audit, compliance and standards
Related Q&A from David Griffeth
Are users at your enterprise creating weak passwords that could potentially lead to serious data breaches? In this identity and access management ... Continue Reading
Virtualization is a technology that's taking off, but how can information security professionals know how it will interact with their existing ... Continue Reading
Periodic access reviews for enterprise identity and access management (IAM) can help ensure the necessary personnel have access to essential systems ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.