Page 8 - Password administration review-Guilford ES
P. 8
Emergency Services: Password Administration Review
SCOPE AND METHODOLOGY
During the review process, sufficient and appropriate procedures were performed, and
documented evidence was gathered to support the accuracy of the conclusions. The findings and
conclusions are based on a comparison of the conditions that existed as of the date of the audit,
against established criteria and practices at Emergency Services.
To determine whether password controls were effective, we
• Evaluated the policies around password protection
• Documented processes via Interviews, Questionnaires, Flowchart, Analytical Procedures,
Change Audit, SQL queries, etc.
• Reviewed evidence to ensure passwords were changed/reset within 180 days
• Reviewed terminated employees from July 2018 to July 2019
• Evaluated users’ administrative rights
• Reviewed governance processes (if any) of the access security function
Our approach to this review was comprised of the following tasks:
• Gained an understanding of the policies, procedures and general controls in place
• Performed a desktop review of key relevant IT policies and procedures
• Conducted meetings with relevant stakeholders
• Conducted a walkthrough to evaluate the design and implementation of relevant controls
and review relevant documentation
• Performed testing on a sampling basis of the identified key controls to evaluate their
operating effectiveness
• Observed password activity and
• Reported any gaps/weaknesses identified
7
