The discussion between the internal auditor and the database administrator is most likely centered
around the security risk present in the period between account creation and password change. When
a system generates a default password such as "123456," it introduces a temporary vulnerability until
the user changes it.
Step-by-Step Analysis:
Understanding Default Password Security Risks:
Default passwords, especially predictable ones (e.g., "123456"), pose a security threat because they
are easy to guess.
If an unauthorized user gains access before the legitimate user changes the password, data
confidentiality and integrity may be compromised (IIA GTAG - Global Technology Audit Guide).
Evaluating the Window of Exposure:
The primary concern is the time between account creation and password reset.
During this time, an attacker could exploit the default password to gain unauthorized access to
sensitive systems.
Why Other Options Are Less Relevant:
Option A (Replacing numbers with characters) – While this improves security, it does not directly
address the risk of an attacker exploiting the default password before the user resets it.
Option B (Users continuing to use the initial password) – This is a security issue, but it is mitigated by
requiring a password reset upon first login. The primary concern is the time before the reset
happens.
Option D (User training on password management) – While training is crucial for long-term security,
it does not directly address the immediate vulnerability of default passwords before they are
changed.
Relevant IIA Reference:
IIA Global Technology Audit Guide (GTAG) 16: Data Management and Security
IIA Standard 2110 – Governance: Recommends addressing IT security risks, including credential
management.
IIA Practice Advisory 2130.A1-1: Internal auditors should assess whether management has identified,
assessed, and mitigated IT security risks, such as weak authentication practices.
