On Thursday, 12/09/2010 at 11:41 EST, "Schuh, Richard" <[email protected]> wrote: > Not necessarily, there is LOGONBY. They need only know their own passwords.
They logon and access USER DIRECT. Now they know ALL the passwords. Of course, you can have LBYONLY for everyone. But that misses the point. They are unencrypted passwords AND they are in bulk. What if someone gets the bright idea to copy USER DIRECT to their laptop? YOUR password is now exposed. > Should anyone have full authority including all the passwords? If so, who? People should have full authority, yes, but they should NOT have access to passwords belonging to others. In some jurisdictions, a password is classified as "personal information" (encrypted or not) that plays into security breach notification law, even if not covered by PII protection requirements. The idea that an organization might not take ALL REASONABLE precautions (aka "due diligence") to protect a system with customer data is worrisome. More worrisome is the fact that some organizations apparently don't have a POLICY of password encryption. It's even harder to believe that company lawyers are on board with that since Company Policy is how corporations insulate themselves from the actions of individuals. Even exceptions to policy need a valid reason. In my Security and Integrity presentation, I say 1. Protect your data 2. Protect your system 3. Protect your clients 4. Protect your company 5. Protect yourself Do the first two, and the last three will take care of themselves. I am not a lawyer, however, so my comments reflect my own opinions and experiences in my role as a system security professional. They should not be construed as legal advice, as such advice should, of course, be obtained from a competent attorney who specializes in such matters in the relevant jurisdictions. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 [email protected] IBM Endicott
