407
Appendix: Understanding the Sarbanes-Oxley Act
e) Each server will have a log book that will be used to document any reported
problems or adverse
f) event observations made during visits to the server room by any IT staff
member or system administrator. The log books are used to document er-
rors that are discovered outside routine monthly maintenance, and for any
configuration changes to each server or its key applications.
g) The server log books will be reviewed annually by IT management.
7) ATTACHMENT
a) Attachment IT-FR-003: “Generic Network Server Maintenance Electronic
Log Form”
System Account Management
GENERIC COMPANY, INC.
IT Documentation
TITLE: SYSTEM ACCOUNT MANAGEMENT
Document #: IT-005 V4 Effective Date: 12/1/09
Issued by: IT Department Page Number: 1 of 5
1) PURPOSE
a) To define Generic’s procedures regarding user account management for the
Generic network.
2) SCOPE
a) This procedure applies to the Generic computer system and administrative
and user accounts for use on that system.
3) RESPONSIBILITIES
a) Generic’s IT department is responsible for preparation of this SOP.
b) Generic’s IT department is responsible for administering the accounts for
the Generic computer system (i.e., system administrator).
c) Generic’s IT management is responsible for approving this procedure.
d) The relevant department manager is responsible for approval of access
and denial of access privileges, as indicated on the Employee Information

Profile form and the Employee Departure form.
e) The Controller or CFO is responsible for annually reviewing user access
within the accounting system.
408
Networking: A Beginner’s Guide
4) REFERENCES
a) Employee Information Profile form
b) Employee Departure form
5) DEFINITIONS
a) User account: An account on a computer or network server that authenti-
cates a user to access certain resources on the computer or network server.
b) Administrative account: An account on a computer or network server,
similar to a user account, that authenticates the system’s administrator(s)
and gives them system permissions necessary to administer the system.
c) Username: The plain-text readable name of the account being used.
d) Password: A sequence of letters and/or numbers, determined by the user
and known only to that user, that is used to confirm the user’s identity to
the system.
e) Log in: The act of providing a username and password to an authenticating
computer system for the purpose of receiving system permission to access
resources.
f) Security groups: Collections of users grouped together to make the task of
administering the system’s security easier and more logical.
g) Secured resource: A resource located on a computer, such as a directory,
file, or printer, which can be accessed or used only by accounts or groups
authorized by the system administrator.
h) Nonobvious password: A password that cannot be readily guessed by
others. Common password components to avoid include the user’s name
or any portion thereof; family member, friend, or pet names or any portion
thereof; and any word, date, or number associated with the user and

potentially known to others.
i) Home directory: A private folder created for each user with a drive letter
designation of H:. This folder is for use by the system to hold system settings
for that user, as well as for the user to store documents that are accessible
only by that employee or the system administrators.
6) PROCEDURES
a) Every individual who accesses the Generic computer system will be given a
private account with which to access the system.
b) When a new account is needed for access to the system (either by a new
employee or any other party that needs to access the Generic computer
system), an Employee Profile form will be generated for that account.
c) The completed form is signed by the responsible manager and submitted to
the IT department.
409
Appendix: Understanding the Sarbanes-Oxley Act
d) Significant changes in privileges (such as when an employee moves to a
different job within the company) must be initiated by the completion of
a new Employee Information Profile form and signed by the responsible
manager.
i) After the account is created, the Employee Information Profile form is
signed by the IT staff member who performed the changes.
ii) Completed Employee Information Profile forms will be maintained by
the IT department.
e) Accounts are created and maintained using standard administrative tools
on the system for which they are created. For example, creating a Windows
network account uses the standard programs and procedures specified by
Microsoft, creating an accounting system account follows the procedures
outlined by its vendor, and so forth.
f) Accounting system annual review
i) Once a year, the Controller or CFO will review all user accounts and

their access to accounting functions by reviewing a current printout of
user account information and menu security assignments prepared by
the IT department.
ii) The Controller or CFO will note any changes needed to user group
assignment or menu security and will forward a list of changes to the
IT department.
iii) The IT department will make the security changes in the accounting
system as indicated by the Controller or CFO.
iv) If no changes are necessary, the printout of the user accounts and
their access to the accounting system menu functions will be signed
and dated by the Controller or CFO and retained as internal control
documentation.
7) POLICY
a) The password policy for Generic is as follows:
i) For the Generic network:
(1) Must be no less than eight characters long.
(2) Passwords must conform to the Microsoft Windows Network
password “complexity rules.” The complexity rules state that a
password must include at least one character from three of the four
following groups:
(i) Uppercase alpha (A–Z)
(ii) Lowercase alpha (a–z)
(iii) Numeric (0–9)
(iv) Special characters (!@#$, etc.)
410
Networking: A Beginner’s Guide
(3) The system will force a password change once per year automatically.
Users may change their passwords more frequently if required or
desired.
(4) The system maintains a password history and will not allow users

to use the same password for five changes.
(5) The system maintains an “account lockout policy” which will lock
any account after eight invalid attempts within any 30-minute period.
The account can be unlocked only by an IT system administrator.
(6) Special logins and passwords are set for certain computers in the
building. These logins are restricted to be usable only from those
computers, and are used for specific purposes (such as using a
computer connected to a laboratory instrument, or using one of the
presentation computers). These accounts are further secured with
limited access to the network. These accounts are not subject to the
normal password policy settings, but instead use a password assigned
by the IT department, and those passwords are known to a number of
employees and are not required to be changed.
ii) For the accounting system:
(1) Accounting system accounts are secured with an accounting
system-specific username and password.
(2) The accounting system will force a password change every 90 days
on all of its accounts. Users will be instructed to choose nonobvious
passwords, although the accounting system has no facility to ensure
the length or complexity of passwords.
b) User responsibilities:
i) All users must not share their passwords or security codes with anyone,
including with administrators of the system and their management.
ii) All users will make reasonable efforts to conceal their passwords or
security codes.
iii) All users will not ask others for the use of their password or security code.
iv) If users lose or forget their password, the administrator will assign a new,
temporary password for them, and will set their account so that they are
prompted to select a new private password at their first login.
v) Each user is responsible for logging off, shutting down or locking his or

her computer at the end of each business day.
c) When a user leaves the company:
i) Human Resources and the appropriate supervisor will complete the
Employee Departure form, indicating date of departure and any special
considerations as specified in the form.
411
Appendix: Understanding the Sarbanes-Oxley Act
ii) In the case of a standard departure, Human Resources and will give
the completed Employee Departure form to the IT department. The IT
department will disable all appropriate accounts and handle any special
considerations, as specified on the form, at the close of business on the
last day of employment for that employee.
iii) In the case of a priority termination, all accounts held by the affected user
will be disabled immediately.
iv) Upon completion of the termination and prior to the deletion of accounts
or data, the Special Considerations section of the form will be reviewed
to see if prior approval of deletions is required.
v) Completed Employee Departure forms will be maintained by the IT
department
Change Control
GENERIC COMPANY, INC.
IT Documentation
TITLE: Accounting System Change Control
Document #: IT-006 v3 Effective Date: 12/1/09
Issued by: IT Department Page Number: 1 of 3
1) PURPOSE
a) Sets forth policies relating to program or direct database changes to the
accounting system, its server, or its backup software used at Generic.
b) Sets forth procedures to follow to request, review, approve, and test changes
to the accounting system, its server, or its backup software at Generic.

2) SCOPE
a) This document applies to the accounting system installed at Generic’s
headquarters.
3) RESPONSIBILITIES
a) The IT department is responsible for generation and annual review and
update of this document.
b) The Controller or CFO is responsible for approving this document and any
subsequent changes.
c) Each requestor of a change is responsible for completing a change request
form and submitting it to the IT department.