409
Appendix:
Understanding the Sarbanes-Oxley Act
d) Significant changes in privileges (such as when an employee moves to a
different job within the company) must be initiated by the completion of
a new Employee Information Profile form and signed by the responsible
manager.
i) After the account is created, the Employee Information Profile form is
signed by the IT staff member who performed the changes.
ii) Completed Employee Information Profile forms will be maintained by
the IT department.
e) Accounts are created and maintained using standard administrative tools
on the system for which they are created. For example, creating a Windows
network account uses the standard programs and procedures specified by
Microsoft, creating an accounting system account follows the procedures
outlined by its vendor, and so forth.
f) Accounting system annual review
i) Once a year, the Controller or CFO will review all user accounts and
their access to accounting functions by reviewing a current printout of
user account information and menu security assignments prepared by
the IT department.
ii)
The Controller or CFO will note any changes needed to user group
assignment or menu security and will forward a list of changes to the
IT department.
iii) The IT department will make the security changes in the accounting
system as indicated by the Controller or CFO.
iv) If no changes are necessary, the printout of the user accounts and
their access to the accounting system menu functions will be signed
and dated by the Controller or CFO and retained as internal control
documentation.
7)
POLICY
a) The password policy for Generic is as follows:
i) For the Generic network:
(1) Must be no less than eight characters long.
(2) Passwords must conform to the Microsoft Windows Network
password "complexity rules." The complexity rules state that a
password must include at least one character from three of the four
following groups:
(i) Uppercase alpha (AZ)
(ii) Lowercase alpha (az)
(iii)
Numeric
(09)
(iv) Special characters (!@#$, etc.)