1

Hey Guys,

This is my first post but I had a very important question - What are the requirements for passwords in SOX 404? I am working for a company that has very little unique passwords. All of our locations use generic passwords and everyone shares logins. We have no individual logins for AD or anything. What are the penalties for violating SOX in this way (yes, we are a public company). I just joined the team but I want to know if staying here will damage my career if we are in violation. We are very disorganized and nothing is documented. Should I stay here and wait things out, or should I “jump ship”?

Oh, something I forgot to mention is that our upper level management does not want to change our current credential policy because it’s “convenient to share passwords”. #WHAT?!?!

13 Spice ups
2

Even with no regulations to comply with there is no way i would want to deal with that

4 Spice ups
3

Trust me, it’s a nightmare. But our CIO just doesn’t see the need to change. We have an audit coming up in a month and we are no where near ready. We have been working 60 hour work weeks to prepare…Should I stay and see what happens?

1 Spice up
4

It sounds like management needs intensive training. Are the shareholders aware or is it middle management? When you talk to the people that have money and reputation to lose then the story may change.

1 Spice up
5

The shareholders are not aware, we have only been public for a year and this is our first audit. I just joined the company a year ago.

6

Seems SoX doesn’t Really say anything about passwords but they say you need sufficient controls to limit access heres an article. I highly doubt shared passwords are considered sufficienct controls

http://www.scmagazine.com/root-passwords--the-key-to-sox-section-404-compliance/article/34591/#

1 Spice up
7

Your CIO??? Then that person does NOT deserve the title. I would run for the hills if I were you. As a member of the executive team he/she should have been trained in the CODE of ETHICS. You may want to print the following article and leave it on his/ her desk.

http://www.techrepublic.com/article/the-cios-code-of-ethics-for-managing-electronic-data/

5 Spice ups
8

Also check this out

https://correlog.com/support-public/SOX-Compliance.pdf

9

I work in the corporate office, and all of the officers are aware of this problem but don’t want to change. It’s frustrating!

10

DOCUMENT your concerns and the responses you got. Try to get responses in writing or email form if possible.

That will cover you in the event that someone tries to blame you later on.

As to whether to stick around, what you describe this could be a nightmare, but it also could be an awesome opportunity to show your stuff. Just make sure you document everything you’ve said about your concerns.

3 Spice ups
11

With regard to passwords, Sarbanes-Oxley does not require specific password policies. It requires controls be in place to limit people’s access to data to only what they need. Passwords are not the only way to accomplish that, but it’s absolutely certain that having a bunch of people share passwords is NOT acceptable, because there’s no way to know who accessed what. This is a no-brainer, and it’s astonishing that a CIO would suggest that it’s too inconvenient to obey the law.

1 Spice up
12

Would it hurt my career to stay if we are audited and not compliant? Our CIO was actually JUST let go but that is also concerning because now we have no one to lead us into compliance.

13

If it were me and the CIO was let go i would be taking over as much as possible because now your the only guy and whatever happens on the audit upper management will probably lay on you.

14

Honestly, this depends on how good your auditors are - some of this is “for show” and/or someone important may take them all for a nice lunch/dinner and it will all wash over.

Either way - try to get this “sharing a password is OK” nonsense in an email from whoever told you it’s OK, if it ever comes down to it at least you can’t be blamed that this was your “great idea”

They can still find plenty of ways to nail you for it, or depending on how much your audit snowballs, you may want to look for another job.

Personally, I would never want to be in this situation and would have left already. …but I understand not everyone is in a position to do that. When your the “IT Guy” and other people who aren’t the “IT Guy” are telling you “it’s OK to do it wrong” it’s time to walk, they clearly have no respect for your knowledge/talent/position - so let this be their problem, not yours.

3 Spice ups
15

I miss typed in my response…I have only been with the company for a month. The CIO wasn’t the only one who didn’t want to change. Our entire board is stubborn, they dont want any changes. They want us to use antique phone systems instead of VOiP because it’s “more convenient for users”. They want us to do away with our ticketing system and “Answer the phone, solve the problem. No need for a ticket, right?” It’s crazy

16

I can point you towards a software solution called UserLock that helps an organization get SOX compliance with regards to access control and stops shared passwords.

UserLock controls and secures user access on a Windows Network by restricting user logons according to customized access policies. You specify the rules according to user, user group or OU and according to session type - workstation, terminal, wi-fi etc

It then continuously monitors all login and session events automatically applying these custom policies to permit or deny logins, workstation access and usage/connection time.

Case Study on how it helps a leading Financial Group eliminate login sharing, have complete login control and in addition, monitor and report on all session activity throughout the Group’s Windows network .

Hope this helps and good luck with your situation

2 Spice ups
17

That’s not going to pass.

Convenience != Security

Mitigating factor will be having the current situation documented in terms of all users and all systems. Having a documented plan for remediatation and resolution will be required.

1 Spice up