GENERAL IT CONTROLS REVIEW: PASSWORDS

QUESTIONNAIRE

Platform 1 Platform 2 Platform 3 Platform 4

1. Are user rights to this platform or software
system assigned based on group rights
(versus individual rights)?
2. If yes, are individual users granted personal
rights in addition to group rights?
3. Are user rights for this platform or software
system reviewed regularly (segregation of
duties review)?
4. If yes, how often?
5. Are user access rights reviews performed by
the business process owners?
6. Does this platform or software system use a
smart card, digital certificate, biometric
identification, or some other technique for user
authentication that replaces user IDs and
passwords? (If Yes, continue with step 24.)
7. Do User IDs follow a standard structure
(example: john smith would be user ID
“jsmith”) for this platform or software system?
8. Do passwords have a minimum length? If yes,
what is it?
9. Do passwords have a maximum length? If yes,
what is it?
10. Are passwords required to contain numbers
or special characters?
11. Do users assign their own passwords?
12. Are users required to change passwords on
first logon after being established?
13. Are users required to perform their first logon
immediately upon being established?
14. Are starting passwords always the same for
all users?
15. How often are passwords required to change
(Example: 90 days)?
16. Is the user password expiration for this
platform or software system aligned with other
systems so most passwords expire at the
same time?
17. Are users advised to use the same
passwords on multiple platforms and systems
where possible?

1 Source: www.knowledgeleader.com
 Platform 1 Platform 2 Platform 3 Platform 4
18. Are users advised to choose passwords that
are not common words or easily determined
personal information like birthdays, names of
family members, initials, etc?
19. Are users restricted from re-using the same
password?
20. If yes, how many new passwords must be
used before allowing a repeat?
21. Are users restricted from changing their
passwords more than once a day?
22. Are additional passwords required for access
to sensitive or confidential data?
23. Are passwords ever written, printed,
displayed, or stored in a data file in
unencrypted form?
24. Is the user ID suspended after a specific
number of unsuccessful attempts to gain
access?
25. If yes, indicate the number.
26. Is the workstation deactivated after a specific
number of unsuccessful attempts to gain
access?
27. If yes, indicate the number.
28. Does the user ID lock, go to a screen saver
password, or deactivate after a specified
period of inactivity?
29. If yes, indicate number of minutes before
locking, screen saver, or deactivation.
30. Does the reactivation of a disabled user ID or
workstation require human involvement (help
desk or information systems personnel)?
31. Can specific functions within software
systems be restricted to specific workstations?
32. Are user ID and password standards for this
platform formally documented by the
organization?
33. Do users (including information systems
personnel) sign agreements that address
security and confidentiality covering this
platform?

2 Source: www.knowledgeleader.com