Would you use temporary / generic user accounts? How do u deal with this regarding compliance

Disaster Recovery
Risk management
Security Program Management
We have remote offices that have one generic domain account. One of them has it because they have people filling in. Sometime we have temporary employee's and they request temporary accounts. Since we went public, now we need to be compliant with SOX policies. Regarding this, do you think this is acceptable? How would you deal with this case?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi Arcomona,
I don’t think the issue is really that SOX compliance somehow disallows generic domain accounts. The issue with SOX compliance is what these generic accounts have access to, and how the company’s key information and information processing is protected. Additionally, in some cases, you may need to uniquely identify each access to information, or each action that creates / modifies / deletes information. I would assume that a generic domain account would not have access to anything too sensitive, but that would be something to check.

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • CheckSix
    We got dinged pretty hard for generic accounts, even those not related to sensitive, or "in scope" systems or apps. Depends on the auditor and how they interpret SOX in many cases, but it gives them one more thing to look into. While managing accounts for temps is more work on the front end, after three years of SOX and GLBA audits it is worth it on the back-end. CheckSix, CISSP
    15 pointsBadges:
  • Terexrb
    Sox 404 has some min requirments and you can get help with this all over the web. (ITTLCommunity.com, sarbanes-oxley-101.com) The core issue is that you may have to prove to an auditor who the actual person was (Monday temp won't do). You need to show them the person name, the security you gave them and that the security was reviewed by their manager. This is almost impossible to do with generic accounts.
    0 pointsBadges:
  • Ocarmona
    Thank you guys this helps alot. I actually have a better concept about this know... it's about proof and accountability. I will no use generic accounts, I rather just create an individual account for someone.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: