Page 2 - Password administration review-Guilford ES
P. 2
Emergency Services: Password Administration Review
I5O Consulting Services
August 2019
EXECUTIVE SUMMARY
Objective and Scope
The objective of this engagement is to review and test the design and operational effectiveness
intended for password administration for Guilford County’s Emergency Services (ES)
department. Departments at Guilford County are required to take appropriate measures to ensure
that password controls are in place to provide reasonable assurance that low to no risk exist from
unauthorized access to systems.
To determine whether ES’s controls over password administration were effective, we examined
the following:
a) Ensure passwords are changed/reset in accordance with policy and procedures,
b) Ensure password complexity exists per policy, and
c) Ensure password access is delegated appropriately.
Background
Guilford County’s Emergency Services (ES) has established its own Technical Support group to
facilitate and maintain the information technology for their subdivisions: Emergency
Management, Emergency Medical Services, and the Fire Division. The ES Technical Support
group acts as an extension or component of Guilford County’s Information Services group. ES
Technical Support has implemented their own Active Directory forest to authenticate and
authorize users and computers specific to the ES department. The ES Active Directory forest has
a two-way trust relationship with Guilford County’s Information Services group to maintain a
relationship between the two domains and ensure resources can be accessed by appropriate users.
On July 16, 2019, ES engaged I5O Consulting to review their password administration
processes. We identified several excellent policies, procedures and best practices within ES
aligned with Guilford County’s Information Services (IS) group regarding the security of
passwords. We examined hundreds of users’ access to determine the effectiveness of ES’s
control over maintaining and governing password activity.
1