??? | recommend to eliminate password sharing? | Case Study | 5.16.4 |

5.16.4 Case Study D
A major financial institution has just implemented a centralized banking solution (CBS) in one of its branches. It has a secondary concern to look after marketing of the bank. Employees of a separate legal entity work on the bank premises, but they have no access to the bank's solution software. Employees of other branches get training on this solution from this branch and for training purposes temporary access credentials are also given to such employees. IS auditors observed that employees of the separate legal entity also access the CBS software through the branch employees access credentials, IS auditors also observed that there are numerous active IDs of employees who got training from the branch and have since been transferred to their original branch.

D1. Which of the following should IS auditors recommend to effectively eliminate such password sharing?

A. Assimilation of security need to keep password secret
B. Stringent rules prohibiting sharing of password
C. Use of smart card along with strong password
D. Use of smart card along with employee's terminal ID

CISA Review Manual 26th Edition
page 413

Find more posts tagged with

Comments

beads

The ninth circuit has recently ruled password sharing to be illegal. Expect this to work its way to the SCOTUS for a final ruling. But this does appear from a legal standpoint where the law intends to go making the auditor's job easy to recommend the final solution.

Of course two factor will always be more secure and in an ideal world three factor, something: you know; you have; you are. Would be best but progress takes time and many times as in science as well as business moves forward one funeral at a time.

- b/eads

coffeeisgood

Lets not forget about

4FA = Four Factor Authentication

Something you know (password, PIN, etc.)
Something you have (mobile phone, credit card, smart card, etc.)
Something you are (fingerprint, hand hand geometry, etc.)
and
Something you can do, (accurately reproducing a signature measure speed/pressure)

I have also heard of the rise of other factors (or fifth, six factor authentication)

Sometime it is
5th - Time (verification of employee IDs against work schedules)

Somewhere you are
6th - Location (GPS location, i.e. ATM use in United States, then 10 minutes later say somewhere in Europe)

this is going a bit overkill for CISA but interesting

anyway, this question (& it's book answer has me a bit perplexed)
I am trying to understand the ISACA thought process.... trying...

gespenstern

Yeah. Something you forgot, something you once had and something you once were. Damn humans, they always find a way to screw security.

coffeeisgood

FYI : the option being picked with the most votes right now is NOT the book answer

you cannot see the poll results until you vote

I eventually will post the book answer, until then login & vote

wd40

An unrelated note, I have the 25th CISA manual and the book ends at page 378, then the appendices start.

I can't find this question in Chapter 5 case studies, so the question now is: it was thought that ISACA basically only changes the cover is this really the case?

gespenstern

coffeeisgood wrote: »

FYI : the option being picked with the most votes right now is NOT the book answer

LOL! Then it's D, there's no way it is A or B!

A is a BS answer and B can't be right because immediately upon getting credentials or before getting them new employees get to sign acceptable use policy and get instructed that the passwords aren't for share.

In case of D IS auditors seem to be okay with employees and contractors giving each other cards instead of passwords!

PS Also be aware that the thread could be wasted because mods don't want ISACA going after TE with copyright infringement claims

TheFORCE

In the eye of the auditor, they always look for policies first followed by technical implementations. So i'd say B.

wd40

gespenstern wrote: »

A is a BS answer

English is a second language to me but if by "Assimilation" they mean that you need to have a culture that believes (not understand, or know etc) that password sharing is wrong then that would be an appropriate answer.

You can have policies, 10 factor authentication, training and even threat of termination, but until staff actually believe that password sharing is wrong they would still find ways to share passwords.

An example from neighboring Kuwait, a security guard was caught with a set of plastic fingers that he used to sign people in (attendance register using finger print - something you are).

coffeeisgood

A
page 415

the key word seems to be "assimilation" in the book answers

I will not post the full explanation here as if you should have this study manual.
Since most people are not picking this answer, you can start to see why I posted this.

I am trying to understand ISACA thinking....

Maybe we should warp to Stark Trek

we are the borg
you will be assimilated
resistance is futile

gespenstern

wd40 wrote: »

English is a second language to me but if by "Assimilation" they mean that you need to have a culture that believes (not understand, or know etc) that password sharing is wrong then that would be an appropriate answer.

You can have policies, 10 factor authentication, training and even threat of termination, but until staff actually believe that password sharing is wrong they would still find ways to share passwords.

An example from neighboring Kuwait, a security guard was caught with a set of plastic fingers that he used to sign people in (attendance register using finger print - something you are).

I agree. And I audited a few commercial banks. And yet to find a bank that would satisfy this description as even in really small ones there's always a password policy of some form which is often not even a result of actions performed after an IS audit but something that was introduced by infrastructure teams in prehistoric times.

I'd say that these days you can't really rely on having a situation in a bank where there are passwords in use but the users aren't instructed not to share their passwords via acceptable use policy (first day policy, enrollment process, you name it).

I would suggest for ISACA to prove that the situation they are implying (bank, people aren't instructed not to share passwords) is actually something that happens in real world.

Hell, even for free online services it is almost a rule that you have to agree with some kind of terms of service document that would have a phrase or two on passwords.

Another reason why this answer is BS is its wording. This is like a common sense statement (humans need air to breathe type of thing) and it's not clear to whom it is directed to and what exactly it asks to do. One would expect something like "employees must have been informed that the password sharing is prohibited and sign a password policy document". I could have voted for such a control IF the scenario HAD a statement that the users aren't informed about it. This control would be cheaper than smart-cards + PIN or password although not as robust.

boyet_919

D

Keyword is "eliminate"

Its like telling your kids the danger of watching ****. Some kids will listen, some kids wont. So assimilation of security (A) , and stringent rules (B) is only one half of the solution as they wont eliminate password sharing.

C. -> Smart cards and passwords can be shared.

D - >While smartcards can be shared, the terminal ID (as I understand) is a measure that ensures that access is made from valid terminal sources. (stops branch office employees and the separate legal entity employees from working in their area)