Wednesday, January 03, 2007

Open door policy.

Furthermore, If you're one of the individuals that are resetting password violations, you still need to verify the user's identity. Quite frankly, it is unknown to me how this became SOP because it's not. Originally, this was only to be done if the user was an executive because they have so many other responsibilities. It was decided that we would not put them through the hassle of trying to create/remember a new password. When you remove password violations, you're just giving the individual five more chances to guess the password.

This passage was taken from an e-mail sent out by Team Lead D**** addressing the issue that an increasing number of Help Desk Analysts are not verifying user's security information before changing password or reducing the numbers of violations on accounts.

What shocks me the most is the statement in the middle about how doing such a thing for an Executive Staff member because "they have so many other responsibilities." Are we to ignore security procedures just because it inconveniences the Big Wigs? In point of fact, it is even MORE important to verify this information for Executive Staff because these people typically have access to greater value information and thus, should the procedure be violated, the potential harm is greater. I wonder if the Information Security Department thinks that Executive Staff are somehow exempt from verification.

Secondly, it became SOP because people are not being trained to do it. When you say it to analysts once and then throw them out on the floor to change passwords, they are going to forget or take shortcuts. When I was doing training, I would take two days to work through all the password procedures and security verification was regularly mentioned throughout that process. It was also mentioned when dealing with severity level procedures as they relate to Executive Staff and also conflict resolution training as Executive Staff, or rather the assistants to Executive Staff, are those most likely to ask you to violate security procedures for their convenience.

We should never, EVER subvert security procedures for the sake of convenience. Not because they have "so many responsibilities". Not because we don't want to "put them through the hassle". Not because they are in a meeting and their assistant needs to do their job for them. Not because they whine, cry, complain or threaten. Never.

When I was training, I took security seriously. I still do. If someone has decided to exempt Executive Staff, then they are not and they should not be involved in the training process.

No comments: