Steal This Data

ISO, the International Organization for Standardization, is the world’s leading developer of International Standards, ensuring product and information interoperability. One of their most widely adopted standards is ISO/IEC 17799:2005, which establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. This is especially important in the increasingly interconnected business environment, where information is now exposed to a growing number and a wider variety of threats and vulnerabilities.

Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. It is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met. This should be done in conjunction with other business management processes.

The objectives outlined in ISO/IEC 17799:2005 provide general guidance on the commonly accepted goals of information security management and contain best practices controls in the following areas of information security management:

• information security policy
• asset management
• human resources security
• physical and environmental security
• communications and operations management
• access control
• information systems acquisition, development and maintenance
• information security incident management
• business continuity management
• compliance

The control objectives and controls in ISO/IEC 17799:2005 can be used by an organization to assess the risk of doing business with partners, customers and suppliers and are a good indicator or an another organization’s IT and business process maturity. 

 A lot of small to medium sized companies use shared passwords to access information in their internal IT systems or managed using remote managed services. They do this to subvert internal IT groups that may be too slow to enable information access or to reduce licensing costs with external providers who price their services using a per user cost.

From an information security standpoint, using shared passwords is a bad idea for several reasons:

• It will cause you to fail a security audit. Almost all state regulations on personally identifiable information and industry regulatory standards such as PCI DSS, HIPAA, Sarbanes Oxley, or Gramm-Leach-Bliley prohibit the use of shared user names and passwords.
• It causes more work for your IT group, particularly when an employee resigns or is terminated, because the shared password must be changed and everyone using it must be informed.
• If any information is inappropriately changed or stolen, you have no way of determining which individual is responsible.
• The use of shared passwords will likely increase your liability if you are sued for an information security breach.

Here’s what you have to do to:

1. Identify every internal or outsourced service that your company uses to manage information. This can be an eye opener: you may use a lot more systems for this purpose than your realize. 
2. Identify each individual who must have access to information in each internal or remote system. Your IT group should keep this information up to date in a matrix so that it can be easily referenced in the event of an employee termination, transfer or during an security incident investigation. 
3. When an new employee is hired, determine which information systems they need access to. Incorporate this into your new employee IT provisioning process. In addition, channel all new requests for information access through your IT group so that they can keep their records up to date.
4. Create an information systems acceptable use policy, distribute it to all of your employees, and have them sign it. Include provisions in this agreement that prohibit the sharing of user names and passwords between employees or 3rd parties.
5. Systematically create new user names and passwords for individuals who have been sharing them and distribute them.