Sign in to follow this  
Followers 0
Scotty

Documenting passwords in a company environment

16 posts in this topic

Emails :

The way I've worked before is that only you know your password to your account. Of course there's a techie who has privs to access your emails etc subject to the company policy etc but what are the latest rules?

I was talking to a company the other day who, because they are chasing recognition for BS ????, said that every member of staff must inform the director when the passwords changed. This is then kept in the safe.

Should the need arise, then a "break glass" scenario happens and they can access the account.

Sounds wrong to me. Surely if you're the user and someone else knows your password, if anyone suggests any wrong doing you can simply suggest it's not you as your password has been disclosed.

So what's the real deal out there these days?

Share this post


Link to post
Share on other sites

But any administrator can simply reset a persons password using the management console on the server. This is the break glass scenario they should use.

Share this post


Link to post
Share on other sites

Sounds like crap to me. If the company need to get into your aco**** for any reason (and I cant think of one) then you could just reset the persons password for them and let them know what it is...

Share this post


Link to post
Share on other sites

Breakglass is quite normal, we used to use it for access out of hours, it's a pain in the butt, but at least you have accountability. When someone got access etc and the reason why.

But it got a bit silly when root access was removed from the admin staff and given to some numpty in India that had no idea what to do with it. The idea being that someone with no knowledge can't do any harm, yet a trusted admin with years of experience and a vested interest in keeping his job would harm the company somehow.

So we just setup back doors into the system everytime we gained root access so we could actually do our jobs.

But that's the investment banks for you.....

Share this post


Link to post
Share on other sites

With us, emails are private. If some-one needs access (ie, a sensitive leaver, sick, manager or some other reason) then we need HR approval AND approval from the Legal dept. We'll change the password and a bod from legal sits with the person to check that person does not look through more than they need to. So keeping private stuff untouched.

If a password is changed without the proper permissions, the analyst can get into trouble for it. But this is abig multi-national and there are rules to be followed......

Share this post


Link to post
Share on other sites

At a guess they're talking about BS 7799, or (more up to date) ISO27001 and ISO27002.

Anyone on here got free access to a copy? It definitely refers to passwords, 27001 covering the standard, 27002 offering codes of practice.

Presumably the process Scotty mentioned ensures an up to date secure record of passwords for use in the event of a break glass scenario, but doesn't involve the director being told what the passwords are - i.e. he is told when a password is changed because only he and a nominated keyholder has access to the safe to store the new one, but the password itself should not be disclosed - it would be handed to him in a sealed/signed envelope.

That's a valid process, but I'd have thought only relevant for the likes of server passwords rather than email, and definitely not a pre-requisite for obtaining ISO 27001.

Share this post


Link to post
Share on other sites

That's a valid process, but I'd have thought only relevant for the likes of server passwords rather than email, and definitely not a pre-requisite for obtaining ISO 27001.

Sounds like a right phaff of a process.

The IT Admin should be able to change a password should the need arise? Might need 'validation' of who it is, but there will be times when the Director and other keyholder might be out of the building?

What happens if someone 'forgets' their password? Is there a policy for that?

Share this post


Link to post
Share on other sites

It's a phaff, but it depends on the securty level of the systems, which is why it doesn't seem appropriate or really necessary for corporate email.

There should also be a process for resetting a password if someone 'forgets' it - but they would need to be available for that. The 'break glass' is for when access is needed and they aren't available.

Share this post


Link to post
Share on other sites

I think it's coz they're a very small outfit and don't have a full time techie. Hence the Breakglass approach works for them. Maybe that meets the BS/ISO thing for them?

Share this post


Link to post
Share on other sites

I admin our email server (GoogleAppsPremier) and if someone forgets their password I can reset and let them know the temporary one. If a sensitive member of staff were to leave or be fired, I'd close their account and look through their mails ;) [joke]

However we are a company of 22 staff.... not 22,000 !

Share this post


Link to post
Share on other sites
With us, emails are private.

If push comes to shove, nothing is really "private" when using company assets.

Share this post


Link to post
Share on other sites
If push comes to shove, nothing is really "private" when using company assets.

Our company email system if for business use, if you choose to use if for personal use you do so at your own risk. :coffee:

Share this post


Link to post
Share on other sites

It's amazing what "rights" some employees think they have.

Our corporate email policy allows discretionary, reasonable personal use, but we are categorically warned that all emails will be scanned. Abuse can and has led to dismissal.

Share this post


Link to post
Share on other sites
It's amazing what "rights" some employees think they have.

Our corporate email policy allows discretionary, reasonable personal use, but we are categorically warned that all emails will be scanned. Abuse can and has led to dismissal.

Exactly!

It's amazing the number of times people just click "ok" to the message box when they login without realising the consequences of what they've just agreed to.

Share this post


Link to post
Share on other sites
If push comes to shove, nothing is really "private" when using company assets.

For some of our bods, the works email address is their only email address.

No one is really bothered by it, it comes up time and time again.

We have just rolled out some iPads and the bods were told to create an Apple ID using their private email address. Many said they haven't got one!

When we (unfortunately) got rid of a sales force, many rang us up and asked how to create an email address.

Hence our particular process.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0