From an information security standpoint, using shared passwords is a bad idea for several reasons:

• It will cause you to fail a security audit. Almost all state regulations on personally identifiable information and industry regulatory standards such as PCI DSS, HIPAA, Sarbanes Oxley, or Gramm-Leach-Bliley prohibit the use of shared user names and passwords.
• It causes more work for your IT group, particularly when an employee resigns or is terminated, because the shared password must be changed and everyone using it must be informed.
• If any information is inappropriately changed or stolen, you have no way of determining which individual is responsible.
• The use of shared passwords will likely increase your liability if you are sued for an information security breach.

Here’s what you have to do to:

1. Identify every internal or outsourced service that your company uses to manage information. This can be an eye opener: you may use a lot more systems for this purpose than your realize. 
2. Identify each individual who must have access to information in each internal or remote system. Your IT group should keep this information up to date in a matrix so that it can be easily referenced in the event of an employee termination, transfer or during an security incident investigation. 
3. When an new employee is hired, determine which information systems they need access to. Incorporate this into your new employee IT provisioning process. In addition, channel all new requests for information access through your IT group so that they can keep their records up to date.
4. Create an information systems acceptable use policy, distribute it to all of your employees, and have them sign it. Include provisions in this agreement that prohibit the sharing of user names and passwords between employees or 3rd parties.
5. Systematically create new user names and passwords for individuals who have been sharing them and distribute them.

No related posts.