Password Configurations and Audit Trail Data in NetSuite
in NetSuite by Jeff HareWritten by Connor Thompson, CIA, CISA
Passwords serve as the first line of defense against unauthorized access to a NetSuite environment and are a key IT general control.
By implementing strong password policies and properly configuring password requirements in alignment with password policies, organizations can significantly reduce the risk of data breaches. These policies should include requirements for minimum password length, complexity, and regular changes. Ensuring users create and maintain strong passwords helps protect against brute-force attacks, social engineering attacks, dictionary attacks, and other common methods used by cyber criminals to gain unauthorized access.
Password configurations are set through the General Preferences page – see Figure 1:
NetSuite makes configuring strong password policies easy by enabling the following configuration options:
- Weak – Minimum of six characters
- Medium – Minimum of 8 characters and at least two of the following four-character types: uppercase letters, lowercase letters, numbers, non-alphanumeric ASCII characters
- Strong – Minimum of 10 characters and at least three of the following four-character types: uppercase letters, lowercase letters, numbers, non-alphanumeric ASCII characters
Configuration Options
The following (Figure 2) is a view of password configuration options within the General Preferences page:
Figure 2 shows the Password configuration as “Strong,”. However, the minimum password length increased to 12 characters from the default of 10 characters.
Security standards and frameworks, such as NIST Special Publication 800-63B, suggest a minimum of 12 characters. Organizations can readily meet these requirements by setting the minimum password length field to 12. Other popular security and control frameworks encourage the mixed use of uppercase and lowercase letters, numbers, and special characters. Organizations can ensure these are required by setting the password policy configuration field within the General Preferences page to Strong.
Audit Logs
Equally important is the monitoring of password audit logs. The General Preferences page audit trail in NetSuite provides a detailed record of changes to fields within the page. These include updates to the Password Policy configuration, the Minimum Password Length configuration, and the Password Expiration in Days configuration. Regularly reviewing the General Preferences page audit log enables organizations to detect and respond to unauthorized updates to password configurations promptly. In addition, the detailed logs enable auditors to evaluate if password policies have been consistent with in-scope standards, frameworks, and regulations for an audit period.
Being better together, strong password configurations and diligent monitoring of relevant audit logs form important IT general controls. These are necessary for any organization storing and managing sensitive information, and business data. Furthermore, while strong password policies enhance authentication controls, audit logs provide a trail of activity. This activity can then be analyzed to detect and respond to unauthorized updates. This approach not only aids in safeguarding sensitive information but also supports compliance with regulatory requirements such as the PCI DSS, which mandates specific password controls. The below process provides a walkthrough of how to access the General Preferences page in NetSuite and access the General Preferences audit trail.
Conclusion
In conclusion, by implementing strong password policies and properly configuring password requirements, organizations can significantly reduce the risks related to compliance, cyber security, fraud, data security, and operational risks. If after reviewing the following steps, or you would like more information on password configurations and audit trail data within NetSuite, reach out to us at support@erpra.net. Or check out our page on NetSuite for more information on how we can help in other ways.
How to Access General Preferences & Access the General Preferences Audit Trail in NetSuite
- Follow the menu path Setup → Company → General Preferences
2. Scroll over the ‘More’ tab and select ‘Audit Trail.’
3. Review the General Preferences audit trail to monitor activity. The activity tracked includes:
- The preference (field) that was updated,
- User who modified the preference,
- What role was used to execute the update,
- Date and time,
- And the old and new value of whatever preference was updated.