Non-Expiring Passwords for C Level Employees. Really?

So, the other day while teaching my Online Course in Computer Security for the University of Advancing technologies I had a student ask me what they should do if their CFO asked to have an unexpiring password in a publicly traded fortune 500 company.  I responded that in today’s age of heavy SEC and regulatory oversight I didn’t see that really being a problem.  I jokingly said that maybe 10-15 years ago it wouldn’t have been a problem either because most of us weren’t expiring passwords regularly.

The student came back with “No, I am serious I was just asked to please set our CFO up with a non-expiring password and the request came from my CIO directly to me, which as low as I am on the totem pole that just about never happens” –  my thoughts were all jumbled up for a minute as I thought we had surely gotten past this mind set with the news articles and all the coverage about regulatory compliance, internal controls, etc.  C’mon I mean really?  We are talking about the CFO – the Chief Financial Officer, the person with access to corporate funds, bank accounts, etc.  and they really don’t want to change their password because it is too much of an inconvienience?   When I asked more questions I wasn’t surprised to find out that the company does not have any sort of two factor authentication for their Executives as that is too cumbersome as well.

Why is it that Internal Audit, External Audit and others in that profession continue to miss items like that.  Is it because they are so far down in the minutia of systems that they have forgotten that in Enron it wasn’t the little folks in the organization like me and other IT Operations folks that caused the issue it was the corporations senior executives.  Things like Sarbane’s Oxley are supposed to manage and control the C level executives behaviors because no one that works for them is in a position to do so.  So, my call out in today’s rant is for the internal controls folks to pay more attention to the Corporate executives and what they are or are not doing and a bit less attention to the folks down in the trenches.

Oh, wait a minute ….. whether it is an internal or external auditor their pay still comes from the same executives that no one else in the company can challenge without fear of not being paid….  hmmmm… guess we won’t be seeing that type of oversight anytime soon.

Oh, and since this is my first posting don’t think I am anti-auditor,  I’m pro-auditor.  I just think that this is an area that we currently lack an answer for.

One last item,  please don’t comment on how lame you think passwords are and how they don’t do anything or provide any controls – please, if you are a security professional you should know they are simply one part of an effective defense-in-depth architecture.  btw – If you don’t believe in defense-in-depth you probably are reading the wrong blost….

© Kevin L. McLaughlin, probably cited re-use is acceptable

About mclaukl

Professional Certifications - Certified CISO, CISM, CISSP, PMP, ITIL Master Certified, GIAC Security Leadership Certificate (GSLC), CRISC. Kevin also holds Certificates in the Advanced Principles of Information Security and in Advanced Information Security Research Methods from Jones International University. Kevin L. McLaughlin began his career as a Special Agent for the Department of Army. He was responsible for investigating Felony crimes around the globe. He has had many careers over the years, including being a Police Officer in Kissimmee Florida, an Investigator for Mastercard/Visa, a Middle School teacher, a Director at Kennedy Space Center (where he worked with Fred Hayes, James Lovell, Armstrong, Sheppard, etc.), the President of his own company, an IT Manager and Senior Information Security manager with the Procter & Gamble (P&G) company (fortune 35), a CISO at the University of Cincinnati and a Senior Information System Security Manager for the Whirlpool Corporation (fortune 125). Kevin has also been an adjunct since 1992. While at P&G Kevin created one of P&G’s augmentation outsourcing teams in India. Kevin designed and implemented this India team and it won a global Gold Service award from Atos-Origin and has acted as a model for countless corporate relationships since. Over the years Kevin has: created an Information Security program conducted Information Security Strategic planning designed Information Security solutions, investigated over 700 Cyber cases and operated a Global Security Operations Center. • Education - MS in Computer Science Education, BS in Management of Information Systems * PhD in Cyber Security, University of Fairfax
This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s