After programming and installation have been completed, a system security administrator or installation technician initializes an execution program to activate the system for the first time. The system should be programmed to recognize a system user ID and maiden password. The system user ID and maiden password should be specified in the system documentation in the event the system needs to be reinitialized at a later date. The system should be programmed such that, on entering the system user ID and maiden password, the system security administrator is required to enter a new password comprised of eight or more alpha-numeric, case-sensitive characters. By allowing combinations of numbers and casesensitive letters to be used in a password, the number of possible character combinations is significantly increased. A longer minimum password length requirement for the system user ID should be programmed into high-risk systems.

Password characters should not appear on the terminal screen as they are entered by the system security administrator. This control is called password masking. Password masking makes it difficult for a passerby or observer to steal another user's password and then perform unauthorized activities.

The system should also be programmed so that passwords cannot be viewed by the system security administrator from within the application, database management system (if applicable), or at the operating system level. To accomplish this, ...

Get Auditing Information Systems, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.