Hi Benjamin, In a place I used to work with, we used to call the security administrator directly. They'll reset the password and then send it to you in a sealed envelope or you can pick it up yourself if applicable. Needless to say, password will be forced to change upon first logon with the new password. I personally think there's no need to involve your supervisor/manager etc unless you have some strong suspicions. Rgds Michael IT Auditor Sydney South East Health
-----Original Message----- From: Ortiz, Benjamin Vincent G. [mailto:[EMAIL PROTECTED]] Sent: Friday, 26 April 2002 10:38 To: [EMAIL PROTECTED] Subject: [AuditPrograms-L] - Password resetting Hi, I was wondering if anyone can tell me what the best practices are for password resetting? I'm currently auditing our E-mail system & procedures. I found that a lot of our sales people keep forgetting their e-mail account passwords and calls the Administrator directly. The Admin resets the account and gives the new password over the phone. Isn't this a "risky" procedure? I've recommended calling their supervisors first so that the burden of verifying the identity of the caller is put on a more reliable person than the Admin. The sup informs the Admin, the Admin resets the account and gives the password to the sup, the sup then relays the password to his staff. This recom has met some resistance from the users. What do you guys think? Benj Ortiz Internal Audit Dept. Petron Corporation 38/F Petron MegaPlaza Bldg. 358 Sen. Gil Puyat Ave. Makati City 1200 Philippines (632) 886-3888 loc. 3830
****************************************************************************************************** This email, and the files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, you are not permitted to distribute or use this email or any of its attachments in any way. We also request that you advise the sender of the incorrect addressing. This note also confirms that this email message has been virus-scanned and although no computer viruses were detected, South Eastern Sydney Area Health Service accepts no liability for any consequential damage resulting from email containing any computer viruses. *******************************************************************************************************
