Hi Everyone!

I just caught this thread - As a CISA (Certified Information Systems Auditor) who's been trained in assessing all of these corporate IT governance schemes (and this puppy smells of COBIT or ISO or similar), I think I know EXACTLY what the auditors have told this client, and what should be meant by this new password scheme to which the client s/b moving.

I'll save the whole theoretical discussion/debate about one-user/password for all resources vs "different user/password for all applications" debate -- there's pros/cons for each method. But suffice it to say that if they do configure the logins to "remember passwords," then Adagio DOES link application access to the Windows-Style login credentials: When Windows prompts the user to change the password every 90 days, then by default the access to Adagio applications will be protected the same way (Andrew, I do believe you mentioned this earlier in the thread). While it's true that Adagio itself isn't forcing a 90-day password change, the linkage to the Windows/Network credential achieves the same IS control objective -- which is to restrict access to application (and by extension, data areas) to the specific group access policies that are enforced at the network level.

To ensure that the process is iron-tight, there ARE a few other steps that we Adagio consultants (or more particularly our clients) need to consider:
- Creation of the security groups and access priviliges within EACH Adagio module DO need to be routinely reviewed to ensure that they conform to the overall NETWORK access rights -- essentially, the permissions should mirror. For example, if the network user is only supposed to have "viewing rights" to financial information and not "writing rights", then somebody has to make sure that the Adagio permissions reflect this as well. Under Information Security policies, there should be a requirement that this congruence is reviewed periodically (quarterly, semiannually, definitely annually) to make sure that additional privileges have not been accidentally granted to the end-user.

Similarly, the company should be reviewing periodically the user lists who DO have access to the financial system to make sure that the list is still accurate and appropriate access arranged. If a user is "removed" from access at the network level, they would automatically be denied access to Adagio, as the login credentials would have been removed at the network/desktop level.

Sidebar #1: Regardless of what the IT Administrator is saying, all of this stuff *IS* about access to the data -- there's absolutely no point in putting in any network/application level security protection if the underlying data can be easily accessed by anyone outside of the security regime. I would contend that this client has a bigger problem if the new policy is driving them to store data on local machines -- if the data is there, how do they back it up? What if a hard drive fails, how will their business continuity management/disaster recovery plan processes get them back into operation? I think that somebody is completely missing the point of the IS requirements here -- either the auditor hasn't explained it well to the client, or the client is picking up on certain literal policy decrees without actually understanding the underlying principles behind them.

Sidebar 2: To borrow from Star Wars, there is a long-shot "unguarded exhaust shaft straight to the heart of the central reactor" weakness to how Softrak has implemented their "use Windows security credentials" approach. I don't even know for sure if it actually IS exploitable, or what threat vector could be used to get at it. And even if it could be exploited, you're talking a pretty heavy-duty technical know-how needed - and if faced with that threat, I'd contend that the IT administrator has bigger problems on his/her hands . . . .

Sorry for the long reply. Hope it's some help??
_________________________
Regards,
R. Grant Rowson, CISA, CGA
Manager
BDO Canada Technology Solutions, Inc.
Thunder Bay Office