ISO27001 and Password Controls

I visit quite a number of companies each year and all those seeking certification ISO 27001, information security management standards, are growing in numbers.

The first step in any task involves 27,001 gap audit to see how close (or far) the company from meeting this standard. Usually, it is evident that some significant work is necessary to meet this demanding standard.

that the standards in perspective, if the ISO9001, quality management standards, equated with the molehill, then amounted to 27 001 Everest. I hope I have not put off !!

One of the parts within 27 001 deals with access control, and I want to cover part of the control and use passwords. Here are some rules for passwords:

Passwords should be complex and must be six characters or more, must contain at least one number, one uppercase letter, and if you can not alpha or numeric character. I often put the pounds in my password, because only the UK this keyboard.
password should not be in the dictionary, or forward or backward.
Never use Pa33w0rd (passwords) or a m3 1n ​​(letmein) or a pet or partner's name.
never give your password to anyone
Change passwords regularly
never write it down, unless it is heavily disguised.

I see violations of these rules on a regular basis, including:

Post it notes with a password stuck on monitors or under keyboards.
with a three-character passwords
passwords that are really obvious as the week of January 1, which increments until January, two weeks and so on.

Most systems can be hacked within a relatively short time, so I recommend that the computer should be locked if there is more than a certain number of incorrect password is entered. Make it more difficult and time consuming to hack.

Let's make 2011 a safer year for our computer systems. Remember the data on your system is valuable and can cause much distress, if not financial loss if it is stolen by others.