User password protect headache + Security vs smart business

LoLth

Just a quick question about an issue I'd like other's thoughts on.
(Mods, if this is better in the windows forum please feel free to move)).

A user on the network in work constantly password protects her documents but doesnt tell anyone the passwords. We had an issue the other day when some accounts data was needed and we knew exactly where the document was but no-one could open it (stored locally so not in the backup - not good considering there is a secure folder on the network for this specific reason). user was not contactable to get the password so we had to resort to buying a password cracker off the net.

Now, I'm all on for security on a network and for limiting access to sensitive documents but there is also the "what if you get hit by a bus" argument. there is also the possibility for complaints about taking away privacy by just saying "no more passwords" or by simply having a tool for bypassing them. Is there any legislation or does anyone work for a company with an official policy on this ?

is_that_so

This could probably be best dealt with an IT Policy. In it you could define the boundaries between personal type docs(of which there should be very few) and company information. Or something as simple as an email stating that everything produced in the company is owned by the company. By the act of her password protecting files she is "interfering" with company documents. Not sure what legislation covers that but it does tend be be part of NDAs in large companies. Or alternatively someone could pull her aside and point out how many man hours are wasted due to lack of access to documents that she has protected and simply say don't do it!

liamo

I had a similar problem recently with a couple of staff members implementing a BIOS password on company PCs and had to waste a few hours hunting down the correct procedure for resetting them.

Staff have no business implementing their own security measures on company property (whether physical or intellectual). That's a job for the appointed staff members.

Cake Fiend

Has anyone had an official word with her about this? It might be time to draw out some standards/policies regarding documents that are supposed to be shared so that this doesn't happen again.

LoLth

Thats actually what I am looking for, any sort of "official" word. The user is quite high up in the company echelon so it is almost impossible to say "do this" without having some form of precedence or some reference to an official publication or security guideline policy.

Thomas_S_Hunterson

If you get an IT policy document drawn up with all necessary company rules and then email it to all staff. Then if anyone is in breach of these regulations, i.e. your password protector, they will have prior warning of the error of their ways, and irrespective of whether they read the document or not, you can enforce it.

It's very useful to stipulate that company PCs are only for work purposes as such, and that all files stored on them, all emails sent via internal email and allexternal internet activity is suject to monitoring so as not to give anyone any excuses.

sh_o

LoLth wrote:

Thats actually what I am looking for, any sort of "official" word. The user is quite high up in the company echelon so it is almost impossible to say "do this" without having some form of precedence or some reference to an official publication or security guideline policy.

Take a look here which may give you a starting point for IT security policies. The Acceptable Use Policy is probably what you are after and will only need some minor revision.

Capt'n Midnight

Get her to sign something that says you are not liable for any/all losses/damages/issues caused by anyone being able to get into those files, on the form make sure there is a space for the CEO or MD / your manager etc. so that it isn't just her who can sign off. And yes you can tell her that you need it in writing from the head honcho because you won't be the fall guy when/if that file goes pear shaped ( if it's an excel file then eventually it will become corrupt ) and make sure she and everyone who relies on those files knows that you have washed your hands of all responsibility of them, including backups.

also try to get her to put the passwords in a sealed envelope , in the company safe perhaps as a backup , again you are hoping she gives in before this.

Also password means file is more difficult to repair a corrupt doc
also downloading crackers exposes the company to dodgy software written by skilled crackers, maybe there is an easter egg in there

does that user clean down their temp folder / swap file every day ??




if you could show her that you can make her files more secure then that might be a better idea.

perhaps look at leaving no password on the file but encrypting the folder ?
ENTFS

http://www.komplett.ie/k/ki.asp?sku=319582
if you have the original key number and password you can reconfigure a new key to work if you loose the original one
www.allnet.de/ftp/pub/allnet/usb/allkey/Manual.pdf

Type the Key ID serial number where was labeled on the CD-ROM and the
password (you name it). It is very important that you keep the Key ID and
Password safely. You might duplicate the same new Key if the old Key was lost.
This new Key can get the data from your previous VHDD which you made
before.

not used them before but may be an option.

If the files are on a laptop - make sure you password the HDD in the BIOS , can be a simple password in case it gets stolen


biometrics - there are many thumbprint mice out there too



BTW: what is the best way of making sure IT don't have access to users files , but still be able to manage the system. Of course the real killer is that any backup operator in windows can restore any file anywhere without security settings