Benjamin, Funny that you say that some senior VP's are forgetful as well. I remember once we did a job for a big company and the CEO of the company had an ID to the entire system (equiv to secofr) and never used it. We obviously queried it and realised that the CEO did not even know how to use the system!
Good luck on your report! :) Cheers, Kalash -----Original Message----- From: Ortiz, Benjamin Vincent G. [mailto:[EMAIL PROTECTED]] Sent: Friday, 26 April 2002 14:19 To: 'Mohan, Kalash G (NZ - Auckland)' Subject: RE: [AuditPrograms-L] - Password resetting Hi, First off, it is a big org. The salespeople are always on the road and the only means of communication is through their cellular phones. The thing is, specially here in the Philippines, text messaging or SMS has been the norm and they would straight up call or text the Admin and the Admin also has no other choice but to convey the pwd thru the phone. The two main risks I see are verifying the identity of the caller and passing the pwd through the phone which could be intercepted. Also, not only the salespeople are forgetful, even some from top mngt like our more senior VPs.... Thanks for the insights. Benj Ortiz Internal Audit Dept. Petron Corporation 38/F Petron MegaPlaza Bldg. 358 Sen. Gil Puyat Ave. Makati City 1200 (632) 886-3888 loc. 3830 -----Original Message----- From: Mohan, Kalash G (NZ - Auckland) [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 9:45 AM To: [EMAIL PROTECTED] Subject: RE: [AuditPrograms-L] - Password resetting Hi, This is rather subjective which would certainly depend on the size of the organisation. Assuming this is a large org we are talking about, then using the telephone would certainly be a big NO-NO. Personally, I would recommend that they use some sort of form, which the sec admin can vouch to the authenticity of the request. further it can be used to monitor who is making the requests. There have been instances where I have seen a single person make more that 19 requests in a month. This certainly would require mgmt's attention, either by training the users or relaxing the pwd controls. FRM your mail Benjamin, I gather that the only department facing this problem is your sales dept. Then mgmt, may need to consider informing the sales dept users on the need to ensure that they remember their pwds and safeguard it. I guess the other issue that you may have to consider is the likelihood of social engineering. Since the telephone has become a norm for pwd reset request, there may be a possibility that an unauthorised user may make a request and get the pwd reset which he/she may later use for malicious purposes. About the pwd being passed on by the sup, I would certainly not recommend that since, the least hands the pwd passes through the better. All in all, you would need to evaluate the likelihood and the impact of the risk materialising as a whole to the org. Cheers, Kalash Mohan -----Original Message----- From: Ortiz, Benjamin Vincent G. [mailto:[EMAIL PROTECTED]] Sent: Friday, 26 April 2002 10:38 To: [EMAIL PROTECTED] Subject: [AuditPrograms-L] - Password resetting Hi, I was wondering if anyone can tell me what the best practices are for password resetting? I'm currently auditing our E-mail system & procedures. I found that a lot of our sales people keep forgetting their e-mail account passwords and calls the Administrator directly. The Admin resets the account and gives the new password over the phone. Isn't this a "risky" procedure? I've recommended calling their supervisors first so that the burden of verifying the identity of the caller is put on a more reliable person than the Admin. The sup informs the Admin, the Admin resets the account and gives the password to the sup, the sup then relays the password to his staff. This recom has met some resistance from the users. What do you guys think? Benj Ortiz Internal Audit Dept. Petron Corporation 38/F Petron MegaPlaza Bldg. 358 Sen. Gil Puyat Ave. Makati City 1200 Philippines (632) 886-3888 loc. 3830 ************************************************************ CAUTION: This e-mail and any attachment(s) contains information that is both confidential and possibly legally privileged. No reader may make any use of its content unless that use is approved by Deloitte separately in writing. Any opinion, advice or information contained in this e-mail and any attachment(s) is to be treated as interim and provisional only and for the strictly limited purpose of the recipient as communicated to us. Neither the recipient nor any other person should act upon it without our separate written authorisation of reliance. If you have received this message in error please notify us immediately and destroy this message. Thank you. Deloitte Touche Tohmatsu Internet: www.deloitte.co.nz ************************************************************ *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* To unsubscribe from this list send an email to [EMAIL PROTECTED] and include the message unsubscribe auditprograms-l and your name. ************************************************************ CAUTION: This e-mail and any attachment(s) contains information that is both confidential and possibly legally privileged. No reader may make any use of its content unless that use is approved by Deloitte separately in writing. Any opinion, advice or information contained in this e-mail and any attachment(s) is to be treated as interim and provisional only and for the strictly limited purpose of the recipient as communicated to us. Neither the recipient nor any other person should act upon it without our separate written authorisation of reliance. If you have received this message in error please notify us immediately and destroy this message. Thank you. Deloitte Touche Tohmatsu Internet: www.deloitte.co.nz ************************************************************ *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* To unsubscribe from this list send an email to [EMAIL PROTECTED] and include the message unsubscribe auditprograms-l and your name.
