Re: Password Security

[Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>]

Dear Kevin,
 
There are three ways to handle risk.  Namely, remediate, accept, and assign.  How about proposing to the department 
that you understand if they wish to use this practice, however, you would like to ensure that each employee be required 
to undergo security awareness training prior to receiving the card or access to their payroll and annual benefits 
account.  (Thus, you are remediating, but then also accepting residual risk.)  I would say that this training should 
specifically address the system that the employee is about to use, and understand the serious risks and consequences 
should the personal information be stolen or used inappropriately.  In that training, you would address the risks of 
identity theft, inappropriate changes to employee payroll/benefits, etc.  
 
Now, in a documented letter to the department head, you would state that you do not support this practice, but 
recommend the training described above in order to mitigate the risk of employee information being inadvertently 
stolen.  Make the department head sign a letter stating that they will take the responsibility to ensure that each 
employee undergo this training prior to being granted access to the payroll/benefits system.  Then, once the employee 
undergoes training, make them sign a waiver indicating that they understand the risk associated with writing passwords 
down, and that the University will not take responsibility for this information being lost or stolen as associated with 
the employee's carelessness.  You are now assigning the risk to the employee and back to the department.  
 
Because I do not know the structure of this department in relation to your office, all of this information would have 
to be altered to fit the exact circumstances of your situation.
 
Anyway, interesting discussion.  I will be interested to hear the input of the rest of the listserv.
 
Sarah Stevens
Stevens Technologies, Inc
 
 

________________________________

From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
Sent: Tue 10/23/2007 9:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password Security



Hi All:

I am currently fighting an internal battle and wanted to do a sanity check
to see if I am being too stubborn with my stance.

Scenario:

I have a department that wants to give their employees information on
business sized cards.  There is a slot on the card for people to write down
their passwords to their payroll and annual benefits account.  The idea is
for the less computer literate staff to be able to keep these handy (in
their wallets or purses let's say) so that they can refer to them as needed.


For years we have been teaching people to not write their passwords down and
while some people may do this on their own I feel that by telling them to do
something that is so "anti-best practice" we are increasing our overall
liability if any of these accounts are breached.  Btw - I have discussed
many alternative approaches with the department - none of which they are
interested in hearing.

Thoughts?  (can be directed to me personally vs. the listserve if you
prefer)

-Kevin


Kevin L. McLaughlin
CISM, CISSP, PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
513-558-ISEC (department)





CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential,
intended solely for the addressee, and may be legally privileged. Access to
this message and its content by any individual or entity other than those
identified in this message is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of this e-mail may be
unlawful. Any action taken or omitted due to the content of this message is
prohibited and may be unlawful.