The main intention of SOX is to establish a verifiable security controls to protect confidential data and tracking users to detect any potential risk or fraud. While SOX does not have any requirements around password management, security experts recommend that organizations adopt these best practices.
Automate password and account reset – eliminate human errors and potential fraud from someone trying to impersonate the user to gain access.
IP address verification – a security test is performed to verify the IP address of the request such as comparing if the password reset request is from a workstation the user typical works on.
Behavior-based probability testing – security check to confirm the user was not locked out for an extended period of time prior.
If the user fails any of the security test, the user is directed to seek assistance from the security manager.