Blog / Password Policies Are More Than Just Paperwork
There are plenty of regulations out there when it comes to your organization’s electronic security. The most common ones I’ve encountered are PIPA (Personal Information Protection Act, an Alberta regulation that governs the protection of personal information), PIPEDA (Personal Information Protection and Electronic Documents Act, a federal version of the Albertan act) and PCI-DSS (Payment Card Industry Data Security Standard, a set of regulations required and enforced by credit card companies). For most organizations, personally identifiable information (PII) is limited to payroll and employee information. PCI-DSS applies to any organization that accepts any form of payment card (debit, gift cards, etc.). However, one thing they all have in common is the demand for official password policies from anyone looking to maintain compliance.
With the prevalence of plastic, it’s fair to say that most businesses are required to follow PCI-DSS. PIPEDA applies to plenty of organizations as well (albeit just the requirements to protect their employee information). Also, there are other regulations and they all apply in different situations, but they still apply even if you aren’t aware of them. That means it’s in your best interest to stay on top of what regulations apply to you.
For this newsletter I’ll keep the scope narrow to talk about just one of the requirements of both PCI-DSS and PIPA/PIPEDA. You see, neither set of regulations is just about electronics/computers, as they’re only part of the problem when it comes to protecting PII. The other part is, as always, the people involved. You will never achieve reasonable electronic security if you only focus on the computers. The regulators recognize that you need to spend some time dealing with the problematic behavior of people as well.
To that end, both PCI-DSS and PIPEDA have specific requirements, mainly that you need to have processes and procedures in place to protect personal information. These processes need to be thoroughly documented and “on the books” as an official policy. Rules that aren’t codified are often not enforceable and get ignored when they’re inconvenient.
And one of the most important and (and yet often overlooked requirements) is that your organization must have an official password policy.
In the regulators’ defense, this makes sense because people usually have terrible password habits. And I mean really terrible. Credential stuffing, a form of attack where an attacker uses credentials taken from one website at another, is an absurdly common hack (if you can even call it a hack. It’s really just a straight-up attack). The point is that far too many people reuse credentials across websites, a serious cyber security no-no. Moreover, credential stuffing is neither a new nor innovative attack, and pretty much everyone has heard the advice not to reuse credentials. Despite the fact that avoiding credential reuse is common knowledge, the number of organizations I’ve run across without official password policies is astounding. For example, many TRINUS clients are government institutions, yet most of them didn’t have an official policy in place when we started working with them (they weren’t compliant with their own standards!). Neither PCI-DSS nor PIPEDA are new, and the number of organizations that lack awareness of the fact they’re subject to these regulations often leaves me gobsmacked.
It doesn’t matter what sort of organization you are. You need to have an official, on the books, password policy that is communicated to all your employees. It’s not a hard policy to create and simply outlines the limits your organization imposes on what is considered good password behaviour. Statements like “never give your password to anyone, even internal IT staff” or “all passwords need to be at least 10 characters long, even if the system doesn’t enforce it” should be sacrosanct statements in any organization.
Today’s Shakespeare comes from Henry IV, Part 1. “O gentlemen, the time of life is short! To spend that shortness basely were too long, If life did ride upon a dial’s point, Still ending at the arrival of an hour.”
If you have any questions about developing your own password policies, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.