Friday, February 3, 2012

ISO27001 and Password Controls

I take a look at very a number of firms each and every year and those searching for certification to ISO27001, the specifics security management common, are rising in numbers.


The very first step in any 27001 assignment involves a gap audit to see how near (or far) the organization is from meeting this common. Typically it transpires that some substantial function is needed to meet this exacting normal.


To put the common into perspective If ISO9001, the top quality management regular, equated to a molehill then 27001 would equate to Everest. I hope I haven't put you off!!


1 of the sections within 27001 offers with access manage and the part I want to cover is the control and use of passwords. Here are some guidelines for passwords:




  • Passwords ought to be complicated, i.e need to be six characters or far more, ought to contain at least one particular number, a single uppercase letter and if feasible a non alpha or numeric character. I often put £ in my passwords since only UK keyboards have this.
  • The password should certainly not be in a dictionary either forwards or backwards.
  • Never ever use Pa33w0rd (Password) or lEt m3 1n (letmein) or a pet or partners name.
  • Never disclose your password to anybody
  • Alter your password often
  • By no means write it down unless it is heavily disguised.


I see breaches of these rules on a normal basis including:




  • Post it notes with the password stuck to monitors or below keyboards.
  • Passwords with 3 characters
  • Passwords that are honestly obvious like January-week 1, which increments to January-week two and so on.


Most systems can be hacked in a reasonably short time so I recommend that a computer system really should lock if additional than a set number of incorrect passwords is entered. Make it tougher and time consuming for the hacker.


Let us make 2011 a far more secure year for our computer system systems. Don't forget the data on your technique is precious and can lead to a outstanding deal of distress, if not monetary loss if it is stolen by other individuals.

Posted by at 3:22 AM
Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

All Information | 2012