Jump to content

Documenting passwords in a company environment


Scotty
 Share

Recommended Posts

Emails :

The way I've worked before is that only you know your password to your account. Of course there's a techie who has privs to access your emails etc subject to the company policy etc but what are the latest rules?

I was talking to a company the other day who, because they are chasing recognition for BS ????, said that every member of staff must inform the director when the passwords changed. This is then kept in the safe.

Should the need arise, then a "break glass" scenario happens and they can access the account.

Sounds wrong to me. Surely if you're the user and someone else knows your password, if anyone suggests any wrong doing you can simply suggest it's not you as your password has been disclosed.

So what's the real deal out there these days?

Link to comment
Share on other sites

Breakglass is quite normal, we used to use it for access out of hours, it's a pain in the butt, but at least you have accountability. When someone got access etc and the reason why.

But it got a bit silly when root access was removed from the admin staff and given to some numpty in India that had no idea what to do with it. The idea being that someone with no knowledge can't do any harm, yet a trusted admin with years of experience and a vested interest in keeping his job would harm the company somehow.

So we just setup back doors into the system everytime we gained root access so we could actually do our jobs.

But that's the investment banks for you.....

Link to comment
Share on other sites

With us, emails are private. If some-one needs access (ie, a sensitive leaver, sick, manager or some other reason) then we need HR approval AND approval from the Legal dept. We'll change the password and a bod from legal sits with the person to check that person does not look through more than they need to. So keeping private stuff untouched.

If a password is changed without the proper permissions, the analyst can get into trouble for it. But this is abig multi-national and there are rules to be followed......

Link to comment
Share on other sites

At a guess they're talking about BS 7799, or (more up to date) ISO27001 and ISO27002.

Anyone on here got free access to a copy? It definitely refers to passwords, 27001 covering the standard, 27002 offering codes of practice.

Presumably the process Scotty mentioned ensures an up to date secure record of passwords for use in the event of a break glass scenario, but doesn't involve the director being told what the passwords are - i.e. he is told when a password is changed because only he and a nominated keyholder has access to the safe to store the new one, but the password itself should not be disclosed - it would be handed to him in a sealed/signed envelope.

That's a valid process, but I'd have thought only relevant for the likes of server passwords rather than email, and definitely not a pre-requisite for obtaining ISO 27001.

Link to comment
Share on other sites

That's a valid process, but I'd have thought only relevant for the likes of server passwords rather than email, and definitely not a pre-requisite for obtaining ISO 27001.

Sounds like a right phaff of a process.

The IT Admin should be able to change a password should the need arise? Might need 'validation' of who it is, but there will be times when the Director and other keyholder might be out of the building?

What happens if someone 'forgets' their password? Is there a policy for that?

Link to comment
Share on other sites

It's a phaff, but it depends on the securty level of the systems, which is why it doesn't seem appropriate or really necessary for corporate email.

There should also be a process for resetting a password if someone 'forgets' it - but they would need to be available for that. The 'break glass' is for when access is needed and they aren't available.

Link to comment
Share on other sites

I admin our email server (GoogleAppsPremier) and if someone forgets their password I can reset and let them know the temporary one. If a sensitive member of staff were to leave or be fired, I'd close their account and look through their mails ;) [joke]

However we are a company of 22 staff.... not 22,000 !

Link to comment
Share on other sites

It's amazing what "rights" some employees think they have.

Our corporate email policy allows discretionary, reasonable personal use, but we are categorically warned that all emails will be scanned. Abuse can and has led to dismissal.

Exactly!

It's amazing the number of times people just click "ok" to the message box when they login without realising the consequences of what they've just agreed to.

Link to comment
Share on other sites

If push comes to shove, nothing is really "private" when using company assets.

For some of our bods, the works email address is their only email address.

No one is really bothered by it, it comes up time and time again.

We have just rolled out some iPads and the bods were told to create an Apple ID using their private email address. Many said they haven't got one!

When we (unfortunately) got rid of a sales force, many rang us up and asked how to create an email address.

Hence our particular process.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...