LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

Arguments for control adoption

  Quote
Guest
Guest user Created:   Jan 31, 2019 Last commented:   Jan 31, 2019

Arguments for control adoption

I'm considering buying the Password Policy but I'd like to know if it can help me before I buy it!
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 31, 2019
I have a specific reason to want advice. I've bought 4 or 5 items from you guys now and they are all excellent but the reason for looking at this one is because the other staff in the organisation are pushing back on the effects its having on them for convenience reasons. So they are not happy with having to remember their passwords - understandable of course it would be more convenient to rely on a browser remembering them or to use a simple password that doesn't expire etc.
ISO 27001 requires us to have a password policy or access policy which applies risk treatment But I am looking for something to back up my argument that we need real control measures specifically about web browsers storing password information and i was really hoping your standard document would have some kind of concrete best practice for me to produce as a compelling case to do that. Its a very specific question I know and I really appreciate any advice on it.

PS. I must say the Internal Audit Procedure document I downloaded from you guys were the best value. Actually my query was really focused on internet browsers saving passwords – in the free trial version I can’t see whether you guys make reference to that, but perhaps it’s implied by “files containing passwords must be stored separately from the application’s system data” ?

Answer:

To backup your argument about a password policy people that are uncomfortable with you should seek:
- the results of your risk assessment about the impacts of risks related to information compromise by means of weak or misused passwords.
- clauses related to contracts with customers or suppliers demanding the use of a password policy and the consequences of not fulfilling such clauses.
- clauses related to laws or regulations your organization must comply with demanding the use of a password policy and the consequences of not fulfilling such clauses.

With this information you can show them the potential impacts the organization is exposed to if they do not handle passwords properly.

For example, the compromise of customer information due to lack of care with passwords can lead to heavy fines considering EU GDPR (the fine can be up to 4% of the revenue, which might mean millions of dollars). This may be an argument strong enough to support the adoption of a password policy.

This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 31, 2019

Jan 31, 2019