IT Employment

General discussion


Biometric Device and Sarbanes Oxley

By ntambe ·
We are planing to implement Biometric authentication in our organization.
We would be using devices like USB fingerprint scanner connected to desktops, the corresponsing application will store the password only on local pcs.
For user authentication, the user would scan his finger and the sw (that comes with biomentric device) would translate his finger print into a password that would be sent across the network to server. So server hs no clue abt biometric device in place.

Can we use this mechanism to have non expiring user passwords, will this comply with sarbanes-oxley? Or do i need server based finger print SW?

Can someone please guide me into this as I am new to biometric world.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by dnvrtechgrrl In reply to Biometric Device and Sarb ...

As far as I can tell though; biometrics really hasn't been taken into consideration.

I would try to find a contact at the DOD and see if they have someone there who can shed light on the situation.

I believe they are running the scanners out there.

Collapse -

Two different issues

by amcol In reply to Biometric Device and Sarb ...

I'm no expert, and this is an unqualified opinion.

SOX section 404 (all two paragraphs of it) says nothing about anything, which is why a multi-billion dollar industry has sprung up attempting to define what compliance really means. Biometric devices became commercially available after SOX originally came out, so you wouldn't find any guidance in the law under any set of circumstances.

Personally, I don't believe the use of biometrics in any form can be construed as a violation of anyone's definition of SOX compliance.

You have another issue, however, which is non-expiring passwords. The fact that you're enabling that via biometrics isn't the issue, it's the fact you're doing it at all. Not only is that in now way shape or form an IT best practice (quite the contrary) THAT'S the violation you should be concerned with.

I'd go with biometrics for a variety of reasons (we use fingerprint PCMCIA cards in my organization) but I would definitely NOT go with non-expiring passwords.

Oh, and BTW...with due respect to the previous poster, soliciting DoD won't do anything for you. Government agencies aren't (yet) subject to SOX compliance.

Collapse -

no solicitation -- but SOX 404 does address access controls

by sdattoli In reply to Two different issues

I was just trying to be a part of the discussion. If I were soliciting business, I would have included a phone number or email. I just joined the site so I thought it was important to identify myself. My section of the organization for which I work has nothing to do with DOD thus I couldn't do anything for them anyway.

However, I do work with Fortune 1000 companies everyday on SOX, HIPPA, and best practices in security. I can tell you first hand that their audit committees are looking at the IT organization and vendors to address many aspects of SOX.

As an example, In order for a company to be in compliance, they must review, develop, and implement access controls. Then, they must maintain access controls and finally, they must report on those access controls.

Some of the IT issues that CXO's and auditors have focused on are: over-privileged users, unsecured files and folders, password issues including (NON-EXPIRING PASSWORDS), group policies, improper group memberships.

I agree there is a lot of nonsense out there, but the Fortune 1000 are especially aware of what they need to do and are doing fairly well. The interesting thing about SOX is that it really never ends. Even after a company becomes compliant, they still have to "maintain" and "report on access controls." That alone, keeps a lot of people very busy.

SRD (better?)

Collapse -

Biometrics does not cover all Password issues for SOX 404 compliance

by sdattoli In reply to Biometric Device and Sarb ...

Obviously it is one way one may chose to implement access controls and it might impress someone in a SOX audit regarding the issue of desktop and laptop passwords.

Keep in mind that there are still multitudes of service accounts which require passwords, i.e. accounts used by processes and services across the network, not users. You will still need password maintenance for that. Biometrics won't help there.

Sean Dattoli
ScriptLogic Corp.

Collapse -

Biometrics & Sarbanes Oxley

by Rbencheikh In reply to Biometric Device and Sarb ...

I came across this article, New Software Provides Enterprises With the Ability to Manage Fingerprint Authentication Through the Network it might be worth contacting the company and get some information off them.

Collapse -

What about this

by oskiller In reply to Biometric Device and Sarb ...

I don't know the SOX requirements for things, but what if you used the fingerprint in addition to something like a pin number? Smart cards generally work on the concept of keeping a certificate which validates your ID, but you need to put in a pin number to validate that you are the correct person trying to use the card. There might be a way to do that with the fingerprint as well - if the PINS don't match, doesn't matter then....

Collapse -

Further reading

by IT-Governance In reply to Biometric Device and Sarb ...

Quite a challenging issue you raise.

The analyst report you can find at
links identity and access management to SOX Section 404. "Protecting enterprise information assets from unauthorized access will continue to represent a significant challenge", the author writes.

In the article at,1759,1782435,00.asp
the author writes "Although it's not a panacea to thwart identity theft and online fraud, strong [two-factor] authentication is the best solution available today."

I would use biometric authentication to raise from a password only to a two factor authentication scheme. Two-factor authentication is a way to gain access by combining something you know (PIN, password) with something you have (token, smart card, fingerprint).

From an IT-Governance perspective I would urge implementing a number of security measures. Non-expiring passwords are definitely not acceptable. More on security policies on
I find their password protection policy provides some clear guidance.

Hubert Vellekoop
IT Governance consultant

Related Discussions

Related Forums