rent password, access is permitted.
Audit Objectives Relating to Password
The auditor's objective here is to ensure that the organization has an adequate and effective password policy for controlling access to the operating system.
Audit Procedures Relating to Passwords
The auditor may achieve this objective by performing the following tests:
- Verify that all users are required to have passwords.
- Verify that new users are instructed in the use of password and the importance of password control.
- Review passwords control procedures to ensure that passwords are changed regularly.
- Review the password file to determine that weak passwords are identified and disallowed. This may involve using software to scan password for know weak passwords.
- Verify that the password file is encrypted and that the encryption key is properly secured.
- Assess the adequacy of password standards such as length and expiration interval.
- Review the account lockout policy and procedures. Most operating systems allow the system administrator to define the action to be taken after a certain number of failed log-on attempts. The auditor should determine how many failed log-on attempts are allowed before the account is locked. The duration of the lockout also needs to be determined. This could range from a few minutes to a permanent lockout that requires formal reactivation of the account.