Howard C. Berkowitz wrote:
>
> Password structure is too detailed for the security policy,
> although
> it's necessary in the security design. The policy should state
> something on the order that people must protect their
> passwords,
> whether they can or cannot change their own, etc.
>
OK, the part about protecting/changing passwords is a given, but I wonder
about your comment that "password structure is too detailed..."
...where to put the details about that which you are trying to protect...in
a SOP on passwords? or possibly as appendix to the official security policy?
My view of security policy is that it needs to lay the law, include
specifics on complying with said law, and detail the penalities for
non-compliance. Telling people that they need to protect their passwords is
not enough, they need to know what the organization considers protecting
said passwords.
Without these specifics, I could make the case that writing my password
backwards on a sticky note and placing it in my wallet is protection enough,
and why not, the policy only told me to protect it, it did not tell me the
required manner and depth of the protection.
Can you clarify further where you would put such details?
TIA,
Charles
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=52237&t=52061
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
