Undercover

Audit Agitation

What do you do when your customers want you to do an independent security auditand your CEO doesn't?

Page 2

Let me interrupt for a moment and tell you that I'm not making this up. My CEO is really this bad. Only a few identifying details in this story have been altered, and the names of the ignorant and incompetent have been changed to protect their privileged status.

"Who's next?" he demanded. His assistant pointed at me. Maybe I should have worn barbeque sauce to this meeting, I thought.

"Get in here!" he yelled, and stomped back into his office. I followed him at a safe distance.

He turned suddenly and thrust his face an inch from mine. "What do you want?"

And a good morning to you too, sir, I thought.

"Well, Mr. Blowhard, we've been getting a lot of requests from our clients recently to provide SAS 70 documentation on our information security controls and practices."

"I don't care about that. I want to know what you're going to do about passwords."

I thought for a moment. What did he mean? Do away with them? Implement single sign on? I decided to bite.

"Is there a problem with passwords?" I asked.

"I couldn't remember my password this morning! I had to wait until my secretary logged me on. I don't like waiting. Waiting is money. I want you to do away with passwords." With a dismissive wave of his hand, he headed back to his desk.

I decided to ignore the obvious violation of policy prohibiting the sharing of passwords and to pick my battles. I cleared my throat. "That's actually not a good idea, sir."

He stopped and wheeled to face me. "Why not?" he said. I could have counted the number of veins sticking out on his forehead. "Don't you ever disagree with me!"

"Without passwords," I continued, "anyone could get into your computer. That means they could read all of your files, your e-mails, even send e-mails under your name. That could put the company at risk."

"There's nothing on my computer that's sensitive! We're an open company." The irony did not escape me. But then again, only poets get paid for pointing out irony.

"Someone could send an embarrassing e-mail from your computer. Say they wrote to The New York Times or a major client."

"They could do that now by creating a Hotmail account with my name on it," he thundered.

"Yes, but the e-mail wouldn't be from our company's domain and...."

"Domain? You come in here and waste my time by talking security technobabble! This isn't the CIA!"

"Actually, I came in here to discuss what our clients have been asking fora SAS 70. It's a third-party assessment of our security."

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors