Password changes not being audited

Just wanted to pass along an issue which may affect your SOX compliance:


If a user is prompted for a password change (expired, forced next login change, etc.) and changes the password while logged in to the web client, the password change event will not be logged in P9312 and will not show up in Security History.

From Oracle:

Dev has successfully replicated the issue on the highest release available so we have opened a SAR 8514911 for the same.

Jeff,

From my experience with my SOX auditors, internal and external, is that showing a screen shot of the password experation settings in the system, and a random sample of screen shots showing that users are only allowed X number of password attempts, and have to change their password X number of days, is sufficient evidence. Having to get down to the nitty gritty of showing when each and every user changed their password is not a SOX requirement.

I read recently that as SOX matures a bit (I believe it is now four or five years old), the burden of proof is getting less nit picky. CIOs have realized the enourmous expense of a SOX audit and have pushed back at legislators and the Audit firms to come up with reasonable levels of proof of compliance.

The weird thing about SOX 404 is that the laws are fairly vauge, it's the Audit firms that made things so complex and challenging. Well now the customer is pushing back. About darn time, too.

Gregg

[ QUOTE ]
The weird thing about SOX 404 is that the laws are fairly vauge, it's the Audit firms that made things so complex and challenging.

[/ QUOTE ]

Oh, the irony. In response to fiascos like Enron, Mr's Sarbanes and Oxley enable the very same types of people who facilitated financial fraud on a grand scale with even more authority.

For some strange and awful reason, this reminds me of the U.S. government handing weapons to the same group of people who were killing our soldiers, with hopes they will use those weapons to fight Al-Qaeda.

[ QUOTE ]
Oh, the irony. In response to fiascos like Enron, Mr's Sarbanes and Oxley enable the very same types of people who facilitated financial fraud on a grand scale with even more authority.

[/ QUOTE ]

Since we're waundering down a tangent - there is a great article I read as part my MBA classes that talks about the "Revenge of the bean counters."

Back before ERP systems, the bean counters (accountants) had the ultimate control over corporate finances and finacial reporting. Then along comes ERP systems and the CIO starts to have a greater role since they manage the computer systems. Then along comes SOX 404, and suddenly the bean counters at the big audit firms have the power and make the CIO dance to their audit tune. And the world goes round and round.....

Gregg