Re: Password Management Policy & Standards

[Mark Borrie <mark.borrie () OTAGO AC NZ>]

I always challenge auditors on forced password changes and ask where 
this requirement comes from. One helpful auditor stated that the 
requirement came from the New Zealand government security standard, 
which has some relevance for us.

I checked the standard  and found this control was only mandatory for 
secret and top secret data. When I pointed this out to the auditor we 
were both happy. She had made the statement and I had stated why we were 
not going to apply that control.

We now have a written position on forced password changes that we give 
auditors on day one so that they can focus on important things.

Mark

On 27/02/2016 1:38 a.m., David Sheryn wrote:
> There is an interesting, if somewhat dated paper, by Ross Anderson, Professor of Security Engineering at Cambridge University 
> (http://www.cl.cam.ac.uk/~rja14/  https://www.lightbluetouchpaper.org/ ), reporting on the results of some empirical research to try and 
> establish how much password 'folklore' was actually true (http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-500.pdf).  I believe that as 
> a result, he successfully challenged the University's auditors insistence on frequent password changes.  IIRC, when asked what the basis 
> they had for insisting on this, the only response that the auditors could come up with was "Head Office says so"...
>
> Regards

--
Mark Borrie
Information Security Manager,
Information Technology Services, University of Otago,
Dunedin 9054, N.Z.
Ph +64 3 479-8395, Fax +64 3 479-8813
Email: mark.borrie () otago ac nz