A company’s AUP requires:
• Passwords must meet complexity requirements.
• Passwords are changed at least once every six months.
• Passwords must be at least eight characters long.
An auditor is reviewing the following report:
Which of the following controls should the auditor recommend to enforce the AUP?
A. Account lockout thresholds
B. Account recovery
C. Password expiration
D. Prohibit password reuse
I think this should be D. The reason may be Ann shows she has not changed her PW for the last 247 days even with “Passwords are changed at least once every six months” policy is that she re-uses her old password?
As you see the AUP says every 6 months, if you check 31×6 =186.
So user Ann has not changed her password since 8 months ago.
Correct answer is provided C
Wouldn’t “Passwords are changed at least once every six months” already be a password expiration ?