Would you use temporary / generic user accounts? How do u deal with this regarding compliance

pts.
Tags:
Compliance
CRM
Disaster Recovery
Laws
Policies
Regulations
Risk management
Security Program Management
standards
We have remote offices that have one generic domain account. One of them has it because they have people filling in. Sometime we have temporary employee's and they request temporary accounts. Since we went public, now we need to be compliant with SOX policies. Regarding this, do you think this is acceptable? How would you deal with this case?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi Arcomona,
I don’t think the issue is really that SOX compliance somehow disallows generic domain accounts. The issue with SOX compliance is what these generic accounts have access to, and how the company’s key information and information processing is protected. Additionally, in some cases, you may need to uniquely identify each access to information, or each action that creates / modifies / deletes information. I would assume that a generic domain account would not have access to anything too sensitive, but that would be something to check.
Rgds,

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • CheckSix
    We got dinged pretty hard for generic accounts, even those not related to sensitive, or "in scope" systems or apps. Depends on the auditor and how they interpret SOX in many cases, but it gives them one more thing to look into. While managing accounts for temps is more work on the front end, after three years of SOX and GLBA audits it is worth it on the back-end. CheckSix, CISSP
    15 pointsBadges:
    report
  • Terexrb
    Sox 404 has some min requirments and you can get help with this all over the web. (ITTLCommunity.com, sarbanes-oxley-101.com) The core issue is that you may have to prove to an auditor who the actual person was (Monday temp won't do). You need to show them the person name, the security you gave them and that the security was reviewed by their manager. This is almost impossible to do with generic accounts.
    0 pointsBadges:
    report
  • Ocarmona
    Thank you guys this helps alot. I actually have a better concept about this know... it's about proof and accountability. I will no use generic accounts, I rather just create an individual account for someone.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following