>Howard C. Berkowitz wrote: >> >> Password structure is too detailed for the security policy, >> although >> it's necessary in the security design. The policy should state >> something on the order that people must protect their >> passwords, >> whether they can or cannot change their own, etc. >> > >OK, the part about protecting/changing passwords is a given, but I wonder >about your comment that "password structure is too detailed..." > >...where to put the details about that which you are trying to protect...in >a SOP on passwords? or possibly as appendix to the official security policy? > >My view of security policy is that it needs to lay the law, include >specifics on complying with said law, and detail the penalities for >non-compliance. Telling people that they need to protect their passwords is >not enough, they need to know what the organization considers protecting >said passwords. > >Without these specifics, I could make the case that writing my password >backwards on a sticky note and placing it in my wallet is protection enough, >and why not, the policy only told me to protect it, it did not tell me the >required manner and depth of the protection. > >Can you clarify further where you would put such details?
In a security procedures manual. Think of the security policy, in part, as something that you might have to explain to nontechical people in court, indicating your management thought of the issues. So, the company security manual might say "writing your password down can be disciplined, initially by one week suspension with pay. Giving the password to an unauthorized person outside the organization is grounds for immediate termination. "Passwords may not be a word in any language, spelled forward or backward. They must be at least x characters long and contain at least y numbers or special characters. Managers may require certain key passwords to be escrowed, with a copy placed in designated secure storage" The policy will say "passwords and other identification devices will be protected. Employees violating this policy face sanctions up to and including dismissal and/or appropriate civil or criminal action." > >TIA, > >Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52245&t=52061 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
