View Poll Results: D1 Which should IS auditors recommend to effectively eliminate such password sharing?

Voters
15. You may not vote on this poll
  • A. Assimilation of security need to keep password secret

    3 20.00%
  • B. Stringent rules prohibiting sharing of password

    2 13.33%
  • C. Use of smart card along with strong password

    10 66.67%
  • D. Use of smart card along with employee's terminal ID

    0 0%
+ Reply to Thread
Results 1 to 12 of 12
  1. Senior Member coffeeisgood's Avatar
    Join Date
    Apr 2016
    Location
    padded walls surround & protect me
    Posts
    132

    Certifications
    CISSP, CISA, CISM, Sec+
    #1

    Question ??? | recommend to eliminate password sharing? | Case Study | 5.16.4 |

    5.16.4 Case Study D
    A major financial institution has just implemented a centralized banking solution (CBS) in one of its branches. It has a secondary concern to look after marketing of the bank. Employees of a separate legal entity work on the bank premises, but they have no access to the bank's solution software. Employees of other branches get training on this solution from this branch and for training purposes temporary access credentials are also given to such employees. IS auditors observed that employees of the separate legal entity also access the CBS software through the branch employees access credentials, IS auditors also observed that there are numerous active IDs of employees who got training from the branch and have since been transferred to their original branch.

    D1. Which of the following should IS auditors recommend to effectively eliminate such password sharing?

    A. Assimilation of security need to keep password secret
    B. Stringent rules prohibiting sharing of password
    C. Use of smart card along with strong password
    D. Use of smart card along with employee's terminal ID


    CISA Review Manual 26th Edition
    page 413
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Mar 2011
    Location
    Chicago
    Posts
    1,325

    Certifications
    CISSP-ISSAP, HCISPP GPEN, GSEC, GSNA, GCIH, E|CH, ECSA, Security+
    #2
    The ninth circuit has recently ruled password sharing to be illegal. Expect this to work its way to the SCOTUS for a final ruling. But this does appear from a legal standpoint where the law intends to go making the auditor's job easy to recommend the final solution.

    Of course two factor will always be more secure and in an ideal world three factor, something: you know; you have; you are. Would be best but progress takes time and many times as in science as well as business moves forward one funeral at a time.

    - b/eads
    Reply With Quote Quote  

  4. Senior Member coffeeisgood's Avatar
    Join Date
    Apr 2016
    Location
    padded walls surround & protect me
    Posts
    132

    Certifications
    CISSP, CISA, CISM, Sec+
    #3
    Lets not forget about

    4FA = Four Factor Authentication

    Something you know (password, PIN, etc.)
    Something you have (mobile phone, credit card, smart card, etc.)
    Something you are (fingerprint, hand hand geometry, etc.)
    and
    Something you can do, (accurately reproducing a signature measure speed/pressure)


    I have also heard of the rise of other factors (or fifth, six factor authentication)

    Sometime it is
    5th - Time (verification of employee IDs against work schedules)

    Somewhere you are
    6th - Location (GPS location, i.e. ATM use in United States, then 10 minutes later say somewhere in Europe)

    this is going a bit overkill for CISA but interesting


    anyway, this question (& it's book answer has me a bit perplexed)
    I am trying to understand the ISACA thought process.... trying...
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jan 2015
    Location
    Chicago, IL
    Posts
    996

    Certifications
    Too many MCPs and MCTS, MCSA: Security, MCSE: Security, MCSA: 2003, 2008, 2012, MCITP: EA, CISSP-ISSAP, SCS DLP, GREM
    #4
    Yeah. Something you forgot, something you once had and something you once were. Damn humans, they always find a way to screw security.
    Reply With Quote Quote  

  6. Senior Member coffeeisgood's Avatar
    Join Date
    Apr 2016
    Location
    padded walls surround & protect me
    Posts
    132

    Certifications
    CISSP, CISA, CISM, Sec+
    #5
    FYI : the option being picked with the most votes right now is NOT the book answer

    you cannot see the poll results until you vote

    I eventually will post the book answer, until then login & vote
    Reply With Quote Quote  

  7. Senior Member wd40's Avatar
    Join Date
    May 2007
    Location
    Bahrain
    Posts
    911

    Certifications
    CISA, eJPT, CompTIA x 6, MCP, MCTS
    #6
    An unrelated note, I have the 25th CISA manual and the book ends at page 378, then the appendices start.

    I can't find this question in Chapter 5 case studies, so the question now is: it was thought that ISACA basically only changes the cover is this really the case?
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Jan 2015
    Location
    Chicago, IL
    Posts
    996

    Certifications
    Too many MCPs and MCTS, MCSA: Security, MCSE: Security, MCSA: 2003, 2008, 2012, MCITP: EA, CISSP-ISSAP, SCS DLP, GREM
    #7
    Quote Originally Posted by coffeeisgood View Post
    FYI : the option being picked with the most votes right now is NOT the book answer
    LOL! Then it's D, there's no way it is A or B!

    A is a BS answer and B can't be right because immediately upon getting credentials or before getting them new employees get to sign acceptable use policy and get instructed that the passwords aren't for share.

    In case of D IS auditors seem to be okay with employees and contractors giving each other cards instead of passwords!

    PS Also be aware that the thread could be wasted because mods don't want ISACA going after TE with copyright infringement claims
    Last edited by gespenstern; 07-22-2016 at 11:02 PM.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    May 2006
    Posts
    2,021

    Certifications
    CISSP, CCSP, eJPT, ITIL,PA ACE,Qualys Certified Specialist, A+
    #8
    In the eye of the auditor, they always look for policies first followed by technical implementations. So i'd say B.
    Reply With Quote Quote  

  10. Senior Member wd40's Avatar
    Join Date
    May 2007
    Location
    Bahrain
    Posts
    911

    Certifications
    CISA, eJPT, CompTIA x 6, MCP, MCTS
    #9
    Quote Originally Posted by gespenstern View Post
    A is a BS answer
    English is a second language to me but if by "Assimilation" they mean that you need to have a culture that believes (not understand, or know etc) that password sharing is wrong then that would be an appropriate answer.

    You can have policies, 10 factor authentication, training and even threat of termination, but until staff actually believe that password sharing is wrong they would still find ways to share passwords.

    An example from neighboring Kuwait, a security guard was caught with a set of plastic fingers that he used to sign people in (attendance register using finger print - something you are).
    Last edited by wd40; 07-23-2016 at 06:26 AM.
    Reply With Quote Quote  

  11. Senior Member coffeeisgood's Avatar
    Join Date
    Apr 2016
    Location
    padded walls surround & protect me
    Posts
    132

    Certifications
    CISSP, CISA, CISM, Sec+
    #10
    A
    page 415

    the key word seems to be "assimilation" in the book answers

    I will not post the full explanation here as if you should have this study manual.
    Since most people are not picking this answer, you can start to see why I posted this.

    I am trying to understand ISACA thinking....

    Maybe we should warp to Stark Trek

    we are the borg
    you will be assimilated
    resistance is futile
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Jan 2015
    Location
    Chicago, IL
    Posts
    996

    Certifications
    Too many MCPs and MCTS, MCSA: Security, MCSE: Security, MCSA: 2003, 2008, 2012, MCITP: EA, CISSP-ISSAP, SCS DLP, GREM
    #11
    Quote Originally Posted by wd40 View Post
    English is a second language to me but if by "Assimilation" they mean that you need to have a culture that believes (not understand, or know etc) that password sharing is wrong then that would be an appropriate answer.

    You can have policies, 10 factor authentication, training and even threat of termination, but until staff actually believe that password sharing is wrong they would still find ways to share passwords.

    An example from neighboring Kuwait, a security guard was caught with a set of plastic fingers that he used to sign people in (attendance register using finger print - something you are).
    I agree. And I audited a few commercial banks. And yet to find a bank that would satisfy this description as even in really small ones there's always a password policy of some form which is often not even a result of actions performed after an IS audit but something that was introduced by infrastructure teams in prehistoric times.

    I'd say that these days you can't really rely on having a situation in a bank where there are passwords in use but the users aren't instructed not to share their passwords via acceptable use policy (first day policy, enrollment process, you name it).

    I would suggest for ISACA to prove that the situation they are implying (bank, people aren't instructed not to share passwords) is actually something that happens in real world.

    Hell, even for free online services it is almost a rule that you have to agree with some kind of terms of service document that would have a phrase or two on passwords.

    Another reason why this answer is BS is its wording. This is like a common sense statement (humans need air to breathe type of thing) and it's not clear to whom it is directed to and what exactly it asks to do. One would expect something like "employees must have been informed that the password sharing is prohibited and sign a password policy document". I could have voted for such a control IF the scenario HAD a statement that the users aren't informed about it. This control would be cheaper than smart-cards + PIN or password although not as robust.
    Last edited by gespenstern; 07-23-2016 at 05:08 PM.
    Reply With Quote Quote  

  13. Junior Member
    Join Date
    Sep 2016
    Posts
    8
    #12
    D

    Keyword is "eliminate"

    Its like telling your kids the danger of watching ****. Some kids will listen, some kids wont. So assimilation of security (A) , and stringent rules (B) is only one half of the solution as they wont eliminate password sharing.


    C. -> Smart cards and passwords can be shared.

    D - >While smartcards can be shared, the terminal ID (as I understand) is a measure that ensures that access is made from valid terminal sources. (stops branch office employees and the separate legal entity employees from working in their area)
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks