General discussion

  • Creator
  • #2190140

    Company officer gave away password


    by mkfeff_2000 ·

    I have a very senior office that gave away his password to a major public accounting firm. Someone at this firm accessed his mailbox through Outlook Web Access. After asking the user about this, they said don’t worry about it. We are a public company. I mentioned this to the CEO, and he said to watch it and let him know if it happens again. Should I inform our Audit Committee? This user has access to very confidential material, besides he broke one of our security policies. Any insight would be appreciated.

All Comments

  • Author
    • #3057713

      First, force him to change his p/w

      by charliespencer ·

      In reply to Company officer gave away password

      Since you mentioned OWA, I assume you’re running a Windows AD domain. Open his account, click the “Force user to change password on next login” box, and let the NOS do the dirty work for you.

      You’ve already informed the CEO; do you have a CIO? Tell him and let it be a problem between senior officers. If there’s no one above you in the IT chain, and assuming your audit committee is in charge of policy compliance, then yes, inform them. I’d also contact the CIO / IT head at the accounting firm and ask why his people need access to your user’s e-mail account.

      I’m not sure why the user thinks being a public company has any relevance. That doesn’t mean everybody in the public needs access to all your company data. If I was a shareholder, I’d be defecating rectangular wall-building materials.

    • #3057676

      Revoke his password NOW

      by mjd420nova ·

      In reply to Company officer gave away password

      Who knows who has that password now and what they’re doing with it.

    • #3057648

      Get Internal Audit involved

      by m_a_r_k ·

      In reply to Company officer gave away password

      This could be a very serious matter. Do you have an Internal Audit deptarment, or is it outsourced to an accounting firm? The director of Internal Audit (not just the Audit Committee) should be informed. The IA Director is easier to contact than the Committee. Don’t spread this knowledge to anyone else other than CEO, CFO and CIO. The offender could (and should) get fired for violating the security policy so blatanly and for allowing an external organization to access sensitive company information. The IA dept has a professional ethical obligation to keep this knowledge under wraps. Let IA investigate to try to determine if any sensitive data was changed. That’s most important, especially with Sarbanes-Oxley if you are a publicly owned company (i.e., are listed on a stock exchange). With SOX, every public company must provide assurance that all material financial data is accurate. If sensitive data cannot be changed, only viewed, that is a bit less serious. Is the accounting firm your external auditor? If so, the simple fact that they accessed confidential information while not in the presence of company representative is a potential violation of SEC rules. I used to work at a public acctg firm. The external auditors typically are very careful about things such as this.

    • #3057533

      Remind the CEO

      by gadgetgirl ·

      In reply to Company officer gave away password

      that he has ultimate responsibility, not only for the safety of the information, but also of the staffs’ awareness of their responsibilities (at least, that applies in the UK, where I’m based)

      Firstly, I would try going through ALL your policies – I’m sure that retaining confidentiality and security of your own password, and not donating it to others will be in more than one policy. List the policies and sections which have been infracted.

      Send this list to your personnel/staff/HR department, with a copy to the CEO. Express your concerns (strongly) that this has happened, and point out that lack of action on this could cause a precedent within the company. The last thing you want is for other users to point the finger saying “well, HE did it, and nothing happened to him” – Should this happen again, the company may end up with no recourse to their staff.

      I would also word, very carefully, a final paragraph to the communication, stating that in your opinion that this is a gross contravention of policy, and that you feel you have had no option but to bring it to their attention due to the seriousness of the matter. Then try to get a few words in which simply state that you have now washed your hands of this, and the ball is in their court. Once you have done this, drop the matter entirely – you have done your duty to the company, and can in no way be held to blame for the original infraction, the subsequents actions, or sweeping the matter under the carpet.

      Been in a similar position – watch your back, they’ll go for you first if there is any comeback on this. You’re the one who will be blamed for keeping it under wraps, or for only telling the CEO and not the “appropriate” persons.

      Let me know how you get on.


    • #3069984


      by jck ·

      In reply to Company officer gave away password

      a) inform your immediate superior (I would take it, the CEO) that you’re going to…then inform him that it happened in an email

      b) cc the Audit Committee

      if you don’t turn it in, you’re guaranteed to get bit when it’s found.

      If you do turn it in, you are covered under that squeal law…if they try and fire you after that…you can file a huge lawsuit and probably win, unless you’ve been absolutely negligent in someway

      Anyways…I’d say tell the CEO you’ve got to divulge it…and give him/her the option of sending the email with you to the Audit Committee.

      • #3060489

        Restructure his/her access immediately

        by andyb-uk ·

        In reply to errr…

        You’ve just quoted a perfect situation where your company data, network and whole IT infrastructure is wide open to abuse. As a security officer in a large date centre I would seriously expect all access for this user to be turned to read only pending an investigation, all access to confidential data be blocked immediately and even possibly removing all their access to your network completly – that includes the PC.

        • #3060485

          Regular password change policy

          by carolip ·

          In reply to Restructure his/her access immediately

          Suggest you review your general password policies – do users have to change their passwords on a regular basis? Best practice recommends that users do change their passwords on a regular basis, and that password has a minimum length of 8 characters, which contains 3 of lowercase, uppercase, numerals, special characters. Forcing a change for this user will then fit within this framework.

    • #3060487


      by mdmenterprises ·

      In reply to Company officer gave away password

      if i was you i would inform the the audit committee asap. This is a total breach of security.

    • #3060443

      Re: Company officer gave away password

      by scotty059 ·

      In reply to Company officer gave away password

      What a severe brain cramp. Good thing you mentioned it to the CEO. Force him to change his password on the next logon. Did he realize the severity of this? That confidential information and materials were compromised by doing that. Please, wake this man up.
      Good Luck

    • #3060420

      Why did he this?

      by robroynj ·

      In reply to Company officer gave away password

      Why would an officer give his password to an accounting firm? If they are your company’s accountants, there are procedures for getting information. If they aren’t, this is *LIKELY* not going to cause a breech only because the accounting firm has their reputation to protect. It does display a real lack of sense on the part of your company’s senior officer and your CEO who isn’t making a huge deal of it. What hasn’t been discovered? What were the motives behind this?

      I would involve the audit committee and anyone else copy your CIO, your boss (if not the CIO) etc. Make this their problem ASAP.

    • #3060386

      You could be culpable

      by mstorey ·

      In reply to Company officer gave away password

      In some companies, the fact the others know about this and do not report it to information security may make them partly culpable, and they can be disciplined.

      Save your company, your CEO, and yourself, and tell the appropriate security people at your company before any harm is done.

      By the way, I believe the company using his password should be censured, too. At least, their security department should know about this potential infraction, so they can take appropriate actions on their side.

    • #3060361

      A public company… and your’e not to worry about it???

      by lando56 ·

      In reply to Company officer gave away password

      Since you mentioned that a major public accounting firm was involved, I have to assume you’re company is quite large too, ergo most probably under one of the Fed regulations (SOX, HIPAA, etc. ) If I’m way off, sorry, but if I’m not, you have a LOT to worry about! The auditors are gonna have a field day! Talk about noncompliance, not to forget to mention violating your companies own security policy(ies) as you mentioned.

      Sounds like your C-level needs a VERY serious education meeting on regulation/policy compliance. Ask a few that are in jail now, including those that did not ‘blow the whistle’ when they knew that there was a serious security breach. Good luck to you. You have some tough decisions to make!

      Just a quick last thought… what kind of drugs these people on anyway? These regulations and policies are not just suggestions!

    • #3060316

      Gave away password

      by ebenezerg ·

      In reply to Company officer gave away password

      And HE STILL HAS A JOB??

      The ability to change end-user passwords should lay with the end-user. Abuse that priviledge and you should be out the door. I would also question the ethics of the accounting firm. DOes the person who accessed the email w/ OWA still have a job?

      Document everything to CYA.

    • #3060291

      Give Away?

      by dobbinsm ·

      In reply to Company officer gave away password

      First lock down his password, Deny access clearance to all confidential data, Take away his password if you have to. Get your internal audit involved! This attitude is not right even if you are a “public company” Access to confidential material and data should remain just that…confidential!

    • #3069806

      You may be liable

      by bawanab1 ·

      In reply to Company officer gave away password

      In the shadows Enron and Sarbanes Oxley Compliance you might want to report this guy. By doing nothing, you might be held accountable for breached information. Knowingly ignoring a security breach is wrong and should be reported.

      I would not want that responsibility on my back.
      Good luck……….

    • #3069803


      by blieffring9 ·

      In reply to Company officer gave away password

      Did the real auditing firm do something as stupid as ask for unauditable access to your system? Or did someone call and psy ops a password out of a tuna? Has anyone monitored access and the originating ip address? Where have they been in your system? Time to get professional network auditing online. They are the only ones that can monitor beyond the operating system. Not ordering an audit and records trace and investigation and public disclosure is a breach of financial trust.

      • #3069752

        Forensic Audit required

        by robertmi ·

        In reply to Pfished?

        Speaking as a forensic analyst, I suggest that you need to:
        1) force new passwords on all employees. There is no telling how many people (passwords) have been compromised. You know of one.
        2) Initiate internal network audit through your official audit procedures/people. Don’t carry the can yourself.
        3)Memo the CEO & CIO with a fully detailed account of the implications for security – for the record.
        4) Set up a file detailing every word said/written on this topic to ensure that political activities behind the scenes do not come back to bite you. Keep a copy.

    • #3069675


      by joseph.calloway ·

      In reply to Company officer gave away password

      According to the Sarbanes-Oxley rules and regs, all public traded companies must have some kind of whistle blower policy in force. You can send an email to your chief auditor and explain the situation to him.

      I came from an evironment like yours and we (the staff) decided that each month, one of us would leave the company and tell HR what the problem was. After six of us left, they (HR) finally believed us and transferred out SVP off to another department.

    • #3069514

      Non disclosure/confidentiality agreement

      by alistair.peacock ·

      In reply to Company officer gave away password

      As a first step I would get the password changed pronto. Second step would be to find out why the accounting firm needed access to his email account. Thirdly I would get this senior officer to to get the accounting firm to sign a Non disclosure/confidentiality agreement. That way another senior officer of the company needs to authorize this access. This will then highlight the problem without you being the stirrer!

Viewing 15 reply threads