Problem solve Get help with specific problems with your technologies, process and projects.

Does password sharing in international branches violate SOX?

Does password sharing in a company's international branch violate Sarbanes Oxley compliance? Learn enterprise password management solutions for international companies.

I worked for an NYSE-listed company. Our IT contractors in India were using each other's passwords, which I believe is a clear violation of SOX. I gave substantial proof to my IT manager. He did not take any actions against the contractors in India. What should I do? Is it indeed a SOX violation, and what are the implications?

The Sarbanes Oxley Act of 2002 does not explicitly address password management. Section 404, perhaps the law's most notorious clause which deals with the internal controls required for financial reporting, states that it is "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting." If password sharing and the process and controls around it are documented, and the risk associated with this practice is accepted formally by the business, there is no need to interject yourself into the situation.

If this is not the case, the manager may not understand the risks associated with password sharing. I recommend drafting a document to share with management that identifies the threats associated with password sharing and the consequences of those threats being realized in real-world terms.

The document should not only include the possible business effect and real-world repercussions, but also the appropriate process for account management that should be in place, namely one account for each individual. As an information security professional, urge the manager to contribute to the document and reach out to the business line to consult with them on putting proper account management or formally documenting their acceptance of this risk.

In general though, the practice of password sharing is inappropriate and represents risk to the organization because there is no accountability. One way to curtail it is to collect some user authentication data, such as city of birth and mother's maiden name, for all contractors. When the contractor calls in to reset his or her password, the help desk can ask for this information and compare the answers. This gives more assurance that the person calling is the owner of the ID.

More information:

This was last published in December 2008

Dig Deeper on Security audit, compliance and standards