The discussion between the internal auditor and the database administrator is most likely centered around the security risk present in the period between account creation and password change. When a system generates a default password such as "123456," it introduces a temporary vulnerability until the user changes it.
Understanding Default Password Security Risks:
Default passwords, especially predictable ones (e.g., "123456"), pose a security threat because they are easy to guess.
If an unauthorized user gains access before the legitimate user changes the password, data confidentiality and integrity may be compromised (IIA GTAG - Global Technology Audit Guide).
Evaluating the Window of Exposure:
The primary concern is the time between account creation and password reset.
During this time, an attacker could exploit the default password to gain unauthorized access to sensitive systems.
Why Other Options Are Less Relevant:
Option A (Replacing numbers with characters) – While this improves security, it does not directly address the risk of an attacker exploiting the default password before the user resets it.
Option B (Users continuing to use the initial password) – This is a security issue, but it is mitigated by requiring a password reset upon first login. The primary concern is the time before the reset happens.
Option D (User training on password management) – While training is crucial for long-term security, it does not directly address the immediate vulnerability of default passwords before they are changed.
IIA Global Technology Audit Guide (GTAG) 16: Data Management and Security
IIA Standard 2110 – Governance: Recommends addressing IT security risks, including credential management.
IIA Practice Advisory 2130.A1-1: Internal auditors should assess whether management has identified, assessed, and mitigated IT security risks, such as weak authentication practices.
Step-by-Step Analysis:Relevant IIA References:
Submit