407 Appendix: Understanding the Sarbanes-Oxley Act e) Each server will have a log book that will be used to document any reported problems or adverse f) event observations made during visits to the server room by any IT staff member or system administrator. The log books are used to document er- rors that are discovered outside routine monthly maintenance, and for any configuration changes to each server or its key applications. g) The server log books will be reviewed annually by IT management. 7) ATTACHMENT a) Attachment IT-FR-003: “Generic Network Server Maintenance Electronic Log Form” System Account Management GENERIC COMPANY, INC. IT Documentation TITLE: SYSTEM ACCOUNT MANAGEMENT Document #: IT-005 V4 Effective Date: 12/1/09 Issued by: IT Department Page Number: 1 of 5 1) PURPOSE a) To define Generic’s procedures regarding user account management for the Generic network. 2) SCOPE a) This procedure applies to the Generic computer system and administrative and user accounts for use on that system. 3) RESPONSIBILITIES a) Generic’s IT department is responsible for preparation of this SOP. b) Generic’s IT department is responsible for administering the accounts for the Generic computer system (i.e., system administrator). c) Generic’s IT management is responsible for approving this procedure. d) The relevant department manager is responsible for approval of access and denial of access privileges, as indicated on the Employee Information Profile form and the Employee Departure form. e) The Controller or CFO is responsible for annually reviewing user access within the accounting system. 408 Networking: A Beginner’s Guide 4) REFERENCES a) Employee Information Profile form b) Employee Departure form 5) DEFINITIONS a) User account: An account on a computer or network server that authenti- cates a user to access certain resources on the computer or network server. b) Administrative account: An account on a computer or network server, similar to a user account, that authenticates the system’s administrator(s) and gives them system permissions necessary to administer the system. c) Username: The plain-text readable name of the account being used. d) Password: A sequence of letters and/or numbers, determined by the user and known only to that user, that is used to confirm the user’s identity to the system. e) Log in: The act of providing a username and password to an authenticating computer system for the purpose of receiving system permission to access resources. f) Security groups: Collections of users grouped together to make the task of administering the system’s security easier and more logical. g) Secured resource: A resource located on a computer, such as a directory, file, or printer, which can be accessed or used only by accounts or groups authorized by the system administrator. h) Nonobvious password: A password that cannot be readily guessed by others. Common password components to avoid include the user’s name or any portion thereof; family member, friend, or pet names or any portion thereof; and any word, date, or number associated with the user and potentially known to others. i) Home directory: A private folder created for each user with a drive letter designation of H:. This folder is for use by the system to hold system settings for that user, as well as for the user to store documents that are accessible only by that employee or the system administrators. 6) PROCEDURES a) Every individual who accesses the Generic computer system will be given a private account with which to access the system. b) When a new account is needed for access to the system (either by a new employee or any other party that needs to access the Generic computer system), an Employee Profile form will be generated for that account. c) The completed form is signed by the responsible manager and submitted to the IT department. 409 Appendix: Understanding the Sarbanes-Oxley Act d) Significant changes in privileges (such as when an employee moves to a different job within the company) must be initiated by the completion of a new Employee Information Profile form and signed by the responsible manager. i) After the account is created, the Employee Information Profile form is signed by the IT staff member who performed the changes. ii) Completed Employee Information Profile forms will be maintained by the IT department. e) Accounts are created and maintained using standard administrative tools on the system for which they are created. For example, creating a Windows network account uses the standard programs and procedures specified by Microsoft, creating an accounting system account follows the procedures outlined by its vendor, and so forth. f) Accounting system annual review i) Once a year, the Controller or CFO will review all user accounts and their access to accounting functions by reviewing a current printout of user account information and menu security assignments prepared by the IT department. ii) The Controller or CFO will note any changes needed to user group assignment or menu security and will forward a list of changes to the IT department. iii) The IT department will make the security changes in the accounting system as indicated by the Controller or CFO. iv) If no changes are necessary, the printout of the user accounts and their access to the accounting system menu functions will be signed and dated by the Controller or CFO and retained as internal control documentation. 7) POLICY a) The password policy for Generic is as follows: i) For the Generic network: (1) Must be no less than eight characters long. (2) Passwords must conform to the Microsoft Windows Network password “complexity rules.” The complexity rules state that a password must include at least one character from three of the four following groups: (i) Uppercase alpha (A–Z) (ii) Lowercase alpha (a–z) (iii) Numeric (0–9) (iv) Special characters (!@#$, etc.) 410 Networking: A Beginner’s Guide (3) The system will force a password change once per year automatically. Users may change their passwords more frequently if required or desired. (4) The system maintains a password history and will not allow users to use the same password for five changes. (5) The system maintains an “account lockout policy” which will lock any account after eight invalid attempts within any 30-minute period. The account can be unlocked only by an IT system administrator. (6) Special logins and passwords are set for certain computers in the building. These logins are restricted to be usable only from those computers, and are used for specific purposes (such as using a computer connected to a laboratory instrument, or using one of the presentation computers). These accounts are further secured with limited access to the network. These accounts are not subject to the normal password policy settings, but instead use a password assigned by the IT department, and those passwords are known to a number of employees and are not required to be changed. ii) For the accounting system: (1) Accounting system accounts are secured with an accounting system-specific username and password. (2) The accounting system will force a password change every 90 days on all of its accounts. Users will be instructed to choose nonobvious passwords, although the accounting system has no facility to ensure the length or complexity of passwords. b) User responsibilities: i) All users must not share their passwords or security codes with anyone, including with administrators of the system and their management. ii) All users will make reasonable efforts to conceal their passwords or security codes. iii) All users will not ask others for the use of their password or security code. iv) If users lose or forget their password, the administrator will assign a new, temporary password for them, and will set their account so that they are prompted to select a new private password at their first login. v) Each user is responsible for logging off, shutting down or locking his or her computer at the end of each business day. c) When a user leaves the company: i) Human Resources and the appropriate supervisor will complete the Employee Departure form, indicating date of departure and any special considerations as specified in the form. 411 Appendix: Understanding the Sarbanes-Oxley Act ii) In the case of a standard departure, Human Resources and will give the completed Employee Departure form to the IT department. The IT department will disable all appropriate accounts and handle any special considerations, as specified on the form, at the close of business on the last day of employment for that employee. iii) In the case of a priority termination, all accounts held by the affected user will be disabled immediately. iv) Upon completion of the termination and prior to the deletion of accounts or data, the Special Considerations section of the form will be reviewed to see if prior approval of deletions is required. v) Completed Employee Departure forms will be maintained by the IT department Change Control GENERIC COMPANY, INC. IT Documentation TITLE: Accounting System Change Control Document #: IT-006 v3 Effective Date: 12/1/09 Issued by: IT Department Page Number: 1 of 3 1) PURPOSE a) Sets forth policies relating to program or direct database changes to the accounting system, its server, or its backup software used at Generic. b) Sets forth procedures to follow to request, review, approve, and test changes to the accounting system, its server, or its backup software at Generic. 2) SCOPE a) This document applies to the accounting system installed at Generic’s headquarters. 3) RESPONSIBILITIES a) The IT department is responsible for generation and annual review and update of this document. b) The Controller or CFO is responsible for approving this document and any subsequent changes. c) Each requestor of a change is responsible for completing a change request form and submitting it to the IT department. . alpha (a z) (iii) Numeric (0–9) (iv) Special characters (!@#$, etc.) 410 Networking: A Beginner’s Guide (3) The system will force a password change once per year automatically. Users may change. authenti- cates a user to access certain resources on the computer or network server. b) Administrative account: An account on a computer or network server, similar to a user account, that authenticates. disable all appropriate accounts and handle any special considerations, as specified on the form, at the close of business on the last day of employment for that employee. iii) In the case of a priority