π§Password Management
π§ Planning:
Reviewed system authentication configurations and password policy enforcement across key platforms (Active Directory, ERP systems, and internal applications) as part of an ITGC audit cycle.
π― Objectives:
-
Confirm password policies enforce minimum complexity and expiration
-
Assess lockout mechanisms and reset procedures
-
Validate use of multi-factor authentication (MFA)
-
Identify risks from weak or default credentials
π Procedures:
-
Reviewed password configuration for 3 core systems
-
Evaluated lockout settings and retry limits
-
Tested reset request processes for end-users and admins
-
Checked for unused or default accounts
-
Reviewed MFA deployment across user groups
π Working Papers:
-
WP-ITGC-PWD001: Password policy configuration & enforcement
-
Screenshots from system settings, reset logs, and MFA reports
π Findings:
-
β One system allowed 6-character passwords with no complexity
-
β No lockout policy in place on internal legacy tool
-
β οΈ Admin password resets lacked consistent identity verification
π§° Tools Used:
Active Directory, ERP config console, ServiceNow, Excel, MFA portal
β Recommendations:
-
Enforce strong password policies across all systems (min 12 characters, complexity, expiration)
-
Implement lockout thresholds after multiple failed login attempts
-
Apply strict identity verification for all password resets
-
Expand MFA implementation to cover all privileged and sensitive roles
-
Review and update password policies annually
