Sarbanes-Oxley Act (SOX) for Information Systems Security

With the results of recent studies and surveys, most of the information system security threats have arose from the internal sources where manipulations of privileges are involved. According to one of the survey by FBI this is a severe figure which runs to about 80 percent. And for the information, most of the employees who have been chased away in IT departments in major companies are due to the internal security violations and they are the centre of security breaches in most of the cases.

One of the well known solutions of executing a good practice for information system security is Sarbanes-Oxley Act (SOX), section 404. It lets organizations to limit and monitor access to specific categories of information systems.

"The Sarbanes–Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted July 30, 2002), also known as the 'Public Company Accounting Reform and Investor Protection Act' (in the Senate) and 'Corporate and Auditing Accountability and Responsibility Act' (in the House) and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which set new or enhanced standards for all U.S. public company boards, management and public accounting firms. It is named after sponsors U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH)".

But one of the problems of practicing with SOX is that, even when the other systems which would integrate with the main system in organizations such as Network Information Service (Sun Microsystems) or Lightweight Directory Application Protocol (LDAP) do not simply meet the compliance requirements mandated by SOX section 404. They do not provide the level of granular access control to systems and commands needed and even do not produce detailed audit logs to track user activities are control access on a user by user or machine by machine basis.

If an organization works within the framework of these best practices approaches, it will allow for an easier implementation and enforcement of security policy related to privileged accounts. These technologies control application for password management for the hundreds of systems typically running within a Windows/UNIX/Linux network. By making it easier to authenticate users and automate access restriction.

One of the main areas of concerns of the SOX is password management which will have following concerns.

Password Policy

1. Users should be given opportunity to choose passwords by themselves. They should also be given the opportunity to configure the passwords by themselves without the actual password being exposed to other staff such as IT support.
2. Nature of Password – A Password must have a minimum length of 8 characters. It should also include at least one special characters (such as #, ? etc.)
3. Password Aging – Password will expire in 3 months and users will be forced to change the passwords in every 3 months.
4. Password Reuse – Reuse of the same password is not allowed for at least 6 consecutive password changes
5. Login Attempts Limit (Clipping Level) – Three valid attempts are given to enter a password. If the user fails to enter the correct password on the third time also, the account should get locked and the user will have to contact the IT support staff to manually unlock the account.
6. Display of Last Login Details – After each successful logon, a message should be presented to a user indicating the date and time of last successful logon, the location of this logon and if there were any unsuccessful logon attempts.
7. Audit Trail – An Audit trail should be kept to track password usage, and successful and unsuccessful login attempts. This audit information should include the date, time, user ID and workstation the user logged in from.
8. If a particular It system does not support enforcing the above password policy, it is necessary to implement a policy as close as possible to the above set of rules. All deviations should also be clearly documented.