Audit and Info System

Case #1

There’re password control risks associated with the new computer system. Based on the case, employees requiring computer access will be given a user name and password. The information needs to be entered when the system is turned on. Correct entry of information will give the user access; incorrect information will prevent user from accessing. The password will be needed to be entered again if a computer terminal is left idle for more than 5 minutes. The users are required to change their passwords once every year (1). The underlying risks are the possibilities that the users forget passwords and are locked out of the system, fall to change password every year, write down and display the words for others to see, or the passwords are too simple to be anticipated (2). To preventing these problems from happening, auditors must make sure that BBC has an effective password policy for controlling access to the new system. The auditor may verify that users are instructed in the use of passwords and the importance of password control, review password control procedures to ensure that passwords are changed regularly, make sure the passwords are strong and complex enough, and verify that the password file is encrypted and that the encryption key is properly secured. Besides, the auditor should improve the system by allowing 2-3 times of failed log-on attempts, in case that some users accidently typing the passwords wrong; but the number of failed log-on attempts should be further discussed to ensure the security of the new system.

References:

(1) Security and Control Assessment, ‘Information Technology Auditing’, p128

(2) Auditing Operating systems and Networks, ‘Information Technology Auditing’, p71