During an IS audit, one of your auditors has observed that some of the critical servers in your organization can
be accessed ONLY by using a shared/common user name and password. What should be the auditor’s
PRIMARY concern be with this approach?

A.
Password sharing

B.
Accountability

C.
Shared account management

D.
Difficulty in auditing shared account

Explanation:
Identification and authentication are the keystones of most access control systems. Identification is the act of a
user professing an identity to a system, usually in the form of a log-on ID to the system. Identification
establishes user accountability for the actions on the system. Authentication is verification that the user’s
claimed identity is valid and is usually implemented through a user password at log-on time.
Audit trails list the actions performed by the user account used to perform the actions. However, if all the users
are using the same user account, you have no way of knowing which person performed which action.
Therefore, you have no “accountability”.
Incorrect Answers:
A: Password sharing is not the primary concern in this case. The only password shared is the password for the
shared account.
C: Shared account management is not a concern. The fact that the account is shared is the concern.
D: Difficulty in auditing shared account is not the primary concern. Auditing a single account is not a problem.
The problem is that you do not know which person is using the account at any given time.

Krutz, Ronald L. and Russell Dean Vines, The CISSP and CAP Prep Guide: Mastering CISSP and CAP, Wiley
Publishing, Indianapolis, 2007, p. 57