Password list

By nimakoh6 ·
Good morning honourable members of this House. I want your views on this subject please. As a Network/Sysadmin, the Internal IT Auditor is doing the quarterly IT audit in my place of work. He then asks to see my password list/file - I reply "NO WAY".

The question is, is it ethical or right for him(Internal IT Auditor) to request to see my (routers, switches & firewall) passwords at any time? I want to hear your views on this subject.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Company policy?

by TobiF In reply to Password list

If the routers were your own, then, of course, you decide who is allowed to do what.
But I believe this equipment belongs to the company you work for. Then this would depend on the policy in the company.
1. You need to have some kind of backup for these passwords, in case something happens when you're not around (or if you'd go to hospital, for instance)
2. The IT audit should, of course, also have the possibility to check settings and parameters in network equipment.

But you need to decide inside the company how you want to handle these things.

Collapse -


by oldbaritone In reply to Password list

Your Bio says your title is "consultant." As such, you are probably required to provide the information to the customer's auditor. It depends on what was agreed and the conditions of the contract between you and your customer.

Understand the situation: your customer has a business, and you have crucial information that allows the business to run. If you are unavailable for any reason, the customer needs to be able to continue their business. OTOH, if someone uses the passwords and things go awry, you may be blamed when you had no part in it.

There are a couple of ways to satisfy both parties. Escrow agents are one way - you give information to a neutral third party, who holds it against the eventuality of your unexpected departure. If you default, the information is turned over to the customer. Escrow agents charge a fee for their services.

Another way is a sealed-envelope system: you turn the passwords over to the auditor sealed in an envelope, or in nested envelopes. If the seal is broken, you cannot be held responsible for the changes to the network. That way, the customer can access the passwords in an emergency, but you are also protected. If something happens and you are blamed, ask to see the sealed envelopes.

But this case sounds like the "Golden Rule" - "the one with the Gold makes the Rules."

Good luck.

Collapse -

Re: Consultant?

by TobiF In reply to "Consultant?"

Hi there,
One quick note:
My TR bio says "IT consultant". Actually, I'm a mobile telephony consultant, but TR's vocabulary is very limited on avialable professions.
(Hope this doesn't mean I'm not welcome to participate here, though :) )
Best regards,

Collapse -


by PurpleSkys In reply to Re: Consultant?

Of course you're welcome...If you check my bio, it just says "Other", there is no classification listed for Office Administrator and I've always been welcome :) . There's just those times though when folks list themselves as a "tech consultant" of some sort and post the strangest things, often of which my 6 yr old could fix.

Collapse -

I think the point being made was....

by Darryl~ Moderator In reply to Re: Consultant?

that as a consultant, they would not be under the "full time" employment of the company and would most likely be uner a term contract....personally, I wouldn't give a consultant the passwords to my network if I was the owner of the company....and....if a consultant I hired to do some work on <i><u>my</u></i> network put some passwords in place, they darn well better give me the passwords.

Collapse -

Well this is something that I feel very strongly about

by OH Smeg Moderator In reply to Password list

What are the policies in place by the company here?

But none the less if you are in sole control of this Hardware and no one else can access it you are in a world of Hurt when something happens. Recently a Network Admin in the States was convicted for preventing the Network Owner accessing the network because he refused to hand over the Access Codes/Passwords to a person who asked for them.

Now the real question here is does this person have Authority to have these Passwords/Access Codes? If they are a Internal Security Auditor they most certainly have the right to have these codes and can justifiably be expected to require them to do their job.

What is the company to do when something happens to you and they have a problem? They own the hardware and employ you to keep it running. Part of that responsibility is not to set yourself up as a Single Point of Failure for the company. So here if there is no Policy in Place by the company and there is no one else with the Access Codes/Passwords I would just hand them over in a sealed envelope to the CEO, OWNER or whoever and let them do as they please with them. If there is a failure as a result of this you have absolved yourself for the direct action of others but you may also have not followed the Required Security Methods of the company or any Compliance that they have to follow so it may be necessary to make changes particularly if they have just instigated something new.


Collapse -

Password list request - Thank you

by nimakoh6 In reply to Password list

Thank you all for your diverse and insightful comments on my posting regarding the Password list request.

Collapse -

More than what first meets the eye

by santeewelding In reply to Password list request - T ...

Isn't it.

You are to be thanked for the question, the responses to which I (and probably many others) have been following in silence.

Related Discussions

Related Forums