Default Passwords

PowerTech Recommendations

Use the Compliance Monitor 'Profiles with Default Passwords' report to audit all default passwords.

Relevant Standards:

COBIT DS5.3 - Identity Management

All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements.

COBIT DS5.4 – User Account Management
Ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management. An approval procedure outlining the data or system owner granting the access privileges should be included.

COBIT DS5.5 - Security Testing, Surveillance and Monitoring

Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically to ensure the approved security level is maintained. A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed.

Sections 11.2.3, 11.5.3 and 11.3.1 of the ISO 17799 standard provides detailed guidance on setting strong password policies and managing user accounts. COBIT points out the need for effective management of user accounts.

ISO 27002 (17799) 11.2.3 - User Password Management

The allocation of passwords should be controlled through a formal management process.

ISO 27002 (17799) 11.2.4 - Review of User Access Rights

Management should review users' access rights at regular intervals using a formal process.

ISO 27002 (17799) 11.3.1 - Password Use

Users would be required to follow good security practices in the selection and use of passwords, i.e. select quality passwords with sufficient minimum length, and that are free of consecutive identical, all-numeric or all-alphabetic characters.