General discussion


Testing my companys security

By srturtle ·
I'm trying to get some ideas on how to test my company's security. I want to somehow test the end-user. The one thing I've come up with so far is have a manager call users and ask the user for their password for the network. I guess my question is has anyone done this for your company and if so what did you do?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Testing my companys secur ...

There are several ways to conduct a security audit.

TR has a large list at

Collapse -

by pierrejamme In reply to Testing my companys secur ...

It would be a security risk for you to know the users passwords. Let me explain. If you were in court prosecuting an employee, all their defense lawyer would have to ask is:
does anyone else have access to your account. Case thrown out

Passwords should be alpha numeric and at least eight characters. Throwing in a symbol increases strength. Some say a Case change also increases strength.

Collapse -

by Jellimonsta In reply to Testing my companys secur ...

Depending upon the size, budget and business, I would suggest outsourcing the security audit to an external vendor proven in this service.
If you are a mom and pop shop, then I would follow the advice given by BFilmFan.
However, security should be paramount to any of your Information Technology needs, so if there is any room in the budget, I would out-source. Internal folks have too much of a vested interest to adequately perform the audit. IMHO.

Collapse -

by gadgetgirl In reply to Testing my companys secur ...

As Jelli says, you are better off getting an outside firm to do this, so there is no bias at all in the result of the examination.

Try to get hold of a list of the user questions asked in a security gap analysis interview, such as BS7799 (ISO 27001) This goes through a number of basic end user scenarios: where do you keep your password (in your head); what is the last thing you do at night (shut down pc, and lock office drawers, files and cabinets) The best question of all to ask them, I find, is this: Is there any file or folder on the system you have access to that you don't need? Answer (invariably) - Yes!

Remember to ensure that the external company keep the questions simple, and that they don't employ yes or no answers, or you will never get a true picture of the security awareness level.

Related Discussions

Related Forums