Privacy

Securing the network or invading someone's space? What would you do?

Scott Lowe describes a hypothetical situation in which a user is guilty of a security lapse. How do you strike a balance between overreacting and maintaining tight security?

This is a short posting to ask what you would do in a specific situation. I will follow up on this posting with a summary of the answers and see if there is any correlation between the answers and the organization type.

Maintaining an appropriate level of IT security is important in any organization. IT leaders need to balance the need to maintain a secure computing environment with usability. Likewise, an IT organization that is... overzealous... in its security mission might be seen as rigid or, they may be seen as saviors. It depends on the organization.

Consider the following hypothetical scenario:

An IT staffer walks by the office of an employee that belongs to a different department. The employee is not in his office. The IT person notices a sheet with some passwords is sitting out on the person's desk and there are some interns working in the office that should not have access to these systems. The credentials allow access to the organization's ERP system. The organization is not in an industry, such as healthcare, that demands a high level of privacy for all information, but is in a market that requires a reasonable level of privacy for its information.

What would you do?

  1. Find the person and point out the folly of leaving a password list out in the open.
  2. Find the person's manager and point out the error.
  3. Go into the person's office and put the list in a drawer or under something else and send the person an email message indicating that you took this step.
  4. Go into the person's office, take the list, and turn it into the CIO for further action.
  5. Something else. What would you do?

For those of you that provide an answer to this question, please indicate both your answer and the type of organization in which you work.

About

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

25 comments
Paladium
Paladium

Secure the passwords and leave a message for the user to contact me. When contacted, advise the user to re-familiarize themselves with the company policy on security and passwords. Then tell the user to change the passwords on all the systems that had passwords on the piece of paper. Follow up and verify the passwords were changed then advise the Security Manager of the findings and corrective actions taken.

curlergirl
curlergirl

I think it all depends on whether the company has a stated policy about password security or not. I work with very small organizations (>100 users mostly) and very few to none of them have written policies regarding IT security. I'm an outside consultant also, so in some cases I have to be more circumspect in dealing directly with employees. In most cases, I would first say something to the employee (discreetly, not in front of those interns) regarding password security in general and emphasizing that I'm doing this as a representative of my own company, not the one they work for, as an advisor. But I would let them know that I would say something to their manager if it occurs again, because I have a responsibility to their company as an IT consultant to help them keep their systems secure. None of my clients allow me to require highly secure passwords in the first place, so many passwords are so insecure as to be nearly worthless if someone really wanted to hack into their systems. I talk myself blue in the face about passwords like "johndoe" (which is also the user's name) or "mycatfluffy" but they don't want to listen because their main concern is still usability, not security. I only need to cover my ass in the sense that I need to make sure the company's management knows I'm looking out for their security as much as possible in the existing insecure environment.

hylton
hylton

I'd remove the password paper from the employee' desk and lock it into my own drawer. I'd then send an email message to the offender advising them that I had the paper and they can collect it from me. On collection of the paper I'd re-iterate to the employee the danger he caused to the IT system, and that if passwords are easy to come by again in his office that I would be reporting directly to the CIO as his actions are endangering my employment.

hsmithdp
hsmithdp

I routinely walk through and confenscate all passwords out in the open. This is a violation of our company policy and there are several reminderes posted throughout the work place. I confenscate the passwords show the proof to thier supervisors and mine. Then I document the incident and forward an email to my boss and thiers. According to out policy they will be counselled on the breach of corp policy. Repeated breaches can lead to dismissal. I know this seems cold. However; in my experience end users can learn all thier passwords if they need to. Users are allowed to use notepads and to keep track of thier passwords. Just not allowed to leave them out in the open. Just like customer information.

martian
martian

I like Scummy's approach and would most likely do the same. If I hurt their feelings, I am sure they'll get over it. Especially after it is explained to them in detail. And really, there are so many password manager utilities available out there that this should not be an issue if the person in question has the same failing memory that we all do. Personally, I use one all the time. I also keep cc #'s in there as well as other sensitive but not often referred to info. The security aspect of this does depend a bit on the environment, however, I usually like to err on the side of caution as it were. And yes, I am from a military background, but not anymore.

Boris the Bold
Boris the Bold

No 5 - something else. Pass to my manager for onward disciplinary action. All companies should have an IT security policy that all users must adhere to and failure to comply has its penalties regardless of which sector the company is in. The majority of contracts I have are on Security Cleared sites where data is very sensitive and there is no room for error. Would suspect the IT dept would have to diagnose why users need to write so many passwords down and address those issues.

Jaqui
Jaqui

Tony's #6 and #7 #7 being to prepare a report on how to reduce the number of passwords required to remove this type of problem from occurring, time estimate in completing such a change, man hours to do it, and include the improvements in productivity + security in doing so, then present it to the IT department head at least one day before the next Board meeting.

The Scummy One
The Scummy One

How about what I have done? I have done several things depending on the situation. When I was a contractor on-site, I reported it to my manager, but this was because this particular area had a lot of sensitive information and I did not know the staff there well enough to confront them with it. In other scenarios, I flipped the paper over and walked away, and came back around later when the person was there to more discretely handle this situation. However, they knew me already, and I knew them. I also just 'stopped by' for a chat and noticed it while chatting (as far as they knew) and informed them that this is a real security issue. And it doesn't hurt to remind them of the stated policy on the matter either. This works well because they already know me, and it is non-confrontational, just some simple help. Oops, forgot to mention that I also instructed them to change the passwords because they were compromised.

kenbergins
kenbergins

Tech-FAQ.com defines the ERP system in-part as : "ERP systems can cover a wide range of functions and integrate them into one unified database. For instance, functions such as Human Resources, Supply Chain Management, Customer Relations Management, Financials, Manufacturing functions and Warehouse Management functions were all once stand alone software applications, usually housed with their own database and network, today, they can all fit under one umbrella - the ERP system." The primary reason you have a password to access any system is for data security. A breach of that security could be costly, i.e. lawsuits, loss of customers, etc. As an IT staffer, I should have authority to pick up the paper with the passwords. As an IT staffer, I am part of a security team that includes protecting the data of the company. Given that the ERP data is at risk and knowing what it contains, as an IT staffer. I would take the paper with the passwords to my manager. This would let the department managers decide what actions should be taken. The initial response should include protecting the security of the data in the ERP system, which would require changing the passwords and verifying who accessed the ERP system in the time frame up until the new passwords are installed.

dave.schutz
dave.schutz

I'd mention it to the person that they are responsible for the security of their passwords. Then I'd send a gentle reminder to all users about password security. And keep an eye on that user!

Matthew Yurksaitis
Matthew Yurksaitis

I read through a few more of the posts to this question/scenario and have a follow-up comment for some of the more "abrasive" actions posted: 1). Consider yourself as that employee - how would you react if someone took your recommended actions against you? 2). Security has to be a comprehensive program and viewed as a comprehensive domain, which includes considerations for the organization environment, employee welfare etc.. when one sided actions are recommended and taken the results are often a blow to the organizational security as empolyees become fustrated with getting "side swiped" by others who may have good intentions but might be a bit short sighted in thier approach to the resolution

Matthew Yurksaitis
Matthew Yurksaitis

Given the scenario that this is situation with mandated security proceedures and penalties (i.e such as HIPAA PMI) the best approach is to address the employee first and give them the chance to correct the discrepancy, then do a follow-up "walk by" to see if the employee has taken the appropriate action. In addition let the employee know that you will be talking with his or her manager for follow-up as well. It is always a sound and more effective approach to handle such events at the lowest level possible and escalate only when this does not work. While alerting security, or going straight above the employees head in the organization will take care of the immediate situation you may have now induced a situation of a disgruntled employee.

Tony Hopkinson
Tony Hopkinson

head for creating situation where they guy had to write his passwords down in the first place. At a certain point, multitudes of passwords, especially strong ones become a security minus , not a plus. They stop more people who should have access getting in than they do those who shouldn't.

Jaqui
Jaqui

With a little thought behind the configuration, you can have it so that only one password will grant any employee the access they need to do their jobs, but no more access than they need. The IT admin overhead is slightly higher, but the ease of use and improvement in security is much higher. Both the latter improve productivity drastically. Even Microsoft's products will enable the grouping of employees with access by the grouping, so there is no reason to require multiple strong passwords, only the one for logging into the network to begin with.

BBPellet
BBPellet

Take the list, send her an email to come see me, revoke her/his permissions, until He/she comes up to me to discuss the matter, then explain the proper security policies, then tell her/him to memorize the passwords from here on out, then re-set his/her passswords to ones He/she can remember, then destory the old password list.

NotSoChiGuy
NotSoChiGuy

I'd first turn over the password list, and leave a post-it note on it stating that this sort of information needs to be secured. I'd also take note of the accounts, and see if I could ascertain whether or not they've been used by non-authorized individuals. If the accounts had not been used, I'd just do a follow-up spot check to ensure the passwords were no longer in plain site. If the accounts had been used, I would bring it to the attention of the appropriate parties (IT hierarchy, CSO, etc). Even if the accounts had the most basic access (ability to read time sheets, for instance), the fact someone would knowingly use an account to gain unauthorized access doesn't speak well to how they would act if they were suddenly in charge of the petty cash drawer, or left alone in the IT stock room, etc. Like Billy Joel said, it's a matter of trust!

jdclyde
jdclyde

I would take the list and it would just go into the shreader and not say a word about it. I work industrial, where there is sales information and customer information that should be confidential, but nothing of cloak n dagger importance. If it was a repeat offender, I would go into the system and change their password and wait for the call. "gee, if your password doesn't work, did you leave yourself logged in? Someone must have changed your password. We will have to watch out for who could have access to your password from now on....." In general, I am not a hardass when it comes to the computers ( IT Nazi ) but there has to be a reasonable level of security.

Michael Kassner
Michael Kassner

One important consideration is the employee's position in the company. Whether it is to CYA or follow the company hierarchy, I would want to know that person's rank "if you will" before doing anything. Interesting post and very applicable to the real world.

Bizzo
Bizzo

Not 1. Passwords to these kinds of systems should be kept secure, especially if it's in a market that requires privacy. Not 2. This might be the way that office works, or it might be the manager that gave the eployee a list of printed passwords. Not 3. Drawers are private pieces of furniture, we call it personal space, don't go there! Not 4. A bit of overkill maybe, considering it's a privacy matter not a security issue as such? 5. I'd go to my manager and tell him the situation. It might be that I was in the wrong by going into that office, and could find myself in trouble for rummaging in someone's desk when I had no right. I work in a multinational company, supporting government, healthcare, financial and industry contracts. Depending on the security level required for these contracts, leaving password lists, or even just project documentation is a disciplinary offence.

glenn.martin
glenn.martin

It is probably too late to remove the passwords from the user's desk; if you've seen the passwords then it's quite possible that the interns have also seen them. If you have a policy about password management then the appropriate thing to do is to approach both the user and her manager about the importance of the network's security and then allow the manager to take the appropriate steps necessary to ensure the user doesn't violate the policy again.

rush2112
rush2112

Go change all the passwords and let them ask what the new login credentials are now. When they ask, tell them to have their manager request them from you. Shred the list immediately after changing them. Second time, find out which telephone extension they call you from, delete it. Security is what it is. Every company has a "POLICY" which employees agree to be bound upon as part of their employment. The flip side is when you have someone breach your network...whose head will be on the block for poor security measures at that time? Who will be responsible for resolving the breach? It takes less work to prevent or at least take reasonable measures to prevent an intrusion than it does to clean up after one has occured. End user unhappy, probabbly Manager of end user unhappy, probabbly. Network security kept at current levels, yes. Security is not appeasement, it is risk vs cost-expenses desired/neeeded.

Rabs
Rabs

This really does depend on a number of factors such as the level of access granted by the logins left lying around or whether the company has a Computer Use Policy or not. Regardless, I would find the person and point out their folly. I would bet that, in a large proportion of companies, this is standard practice. Users just do not appreciate the danger of leaving passwords lying around or letting others know their user/pass. I ALWAYS lock my PC when I leave my desk. However, as a former sysadmin, this is a necessity. You don't want any old monkey messing with your machine/network do you?

JackOfAllTech
JackOfAllTech

Turn the paper over, THEN go find the ID 10 T. For 2nd offense, find his manager.

beentherebefore
beentherebefore

I have IT security in my title so I have to respond. Remove the password list and wait.When the customer of IT asks for a password change, show them how create pass phrase that is easy to remember but very difficult to hack or guess (My old dog is fat and lazy) is really easy to remember but would take weeks to hack.

stod73
stod73

I'd report it to my manager and let them handle it.