As auditors, it is often difficult to see exactly how technology could impact our audit. All this talk of passwords, user setup and system security is difficult to link to our audit assertions. What is the potential impact on my audit? What we should be asking is, “How secure is the financial data that I’m relying on?” We’d like to think that everyone is always honest, but there are more financial pressures than ever in today’s economy, and we are all human. When security is not correct, it creates open doors to fraud. I have seen five cases of fraud over the last eight years, and each one had a shortfall in security controls as the root cause. Technically, greed was the root cause, but you know what I mean! So what can we do, and how do we communicate the need to close these “open doors” to the client? Here we cover the first of four topics:
- Password Security
- User Security Groups
- Periodic User Reviews
- Administrator Access Rights
Password Security
We need to cover the basic general IT controls during our audit. Let’s talk about one key area: password controls.
First, we need to test controls around user passwords and see that their password parameters are in line with common standards:
- 6-8 character password – take a look at these statistics on how long it takes to hack a password that is just characters. The chart below shows the amount of time needed for a hacker to compromise a password with the stated attributes. I think the chart says it all!
|
Password Length |
All Characters | Only Lowercase |
| 3 characters | 0.86 seconds | 0.02 seconds |
| 4 characters | 1.36. minutes | 0.046 seconds |
| 5 characters | 2.15 hours | 11.9 seconds |
| 6 characters | 8.51 days | 5.15 minutes |
| 7 characters | 2.21 years | 2.23 hours |
| 8 characters | 2.10 centuries | 2.42 days |
- Complexity enabled – creating a password that requires both upper and lower case, numeric and symbols significantly increases the strength. Additionally, utilizing password logic such as using the first letter of phrases and symbols to replace certain letters makes a password very strong.
- Password expiration every 60-90 days – password expiration is a passionately-debated setting. Some will tell you that they would rather have a strong password that never expires, and some would say that they want to change it every 30 days. Somewhere in between is a more accepted answer. “Never expiring” settings increase the likelihood that others will obtain the password. Whereas, having the password expire too frequently will only increase the likelihood that the password will be found on a sticky note under the keyboard! An expiration of 60-90 days serves as a solid password life.
- 3-5 passwords remembered – the password remembered is important so that when you have to change your password, it will prevent you from using the same one over and over.
- 3-5 days minimum password age – a minimum-age setting prevents a user from changing the password 3-5 times (as prescribed in the previous bullet) in a row in order to get back to the original password.
The true point of a password is to ensure that the user logging in is really that user. If passwords are weak, it opens the doors to co-workers being able to process transactions as other users as well as allowing unauthorized users to gain access to the financial data we are relying on for our audit.
Next month we’ll talk about user security groups….
About the Author:
Tony F. Scott, CISA, is Founder & CEO of Technical Financial Solutions, LLC (www.TFSUS.com). TFS is a Georgia-based IT compliance audit firm with a national reach, serving clients across the United States. TFS specializes in IT general controls testing for Financial Statement audits as well as SAS70/SOCIII engagements. TFS also specializes in HIPAA security and HITECH Act security assessments, serving over 65 hospitals in the Southeast.
“Whatever you do, do it heartily, as to the Lord and not to men.” Colossians 3:23
