security policy question

Siraj Shaikh siraj.shaikh at
Tue Mar 5 12:40:30 GMT 2013

Is it worth exploring/clarifying the level of liability incurred by the
employee? Or the split across the institution and the employee? The
allocation of people/resources made available to you depends on this.

Also, are we assuming that this will always be due to an employee? What
happens when a password is compromised due to a direct decision made by the

A possibly silly question: are there any insurance policies that would
cover people against such work-related liabilities?

On 5 Mar 2013 11:29, "Martin Hepworth" <maxsec at> wrote:

> I suggest this is trying to make you think twice about sharing passwords
> and the like, but it does seem poorly worded and under evidence they'd have
> to prove it wasnt you anyway (innocent until proved guiltly).
> I see your point though, esp if you have quite a powerfull account with
> access to lots of sensitive data.
> --
> Martin Hepworth, CISSP
> Oxford, UK
> On 4 March 2013 23:29, Root <root at> wrote:
>> Hi All,
>> I am not sending this from my usual account as gmail seems to have hit
>> various blacklists. Even though the 2 factor auth and MITM detection seems
>> to be a good thing in a web-mail service. So instead i am probably going
>> to
>> be giving spamd on this OBSD box a good work out.
>> I am looking for a bit of advice.
>> I work for part of the NHS and was recently given a new version of our
>> security policy to sign.
>> It contains the usual i will be a good citizen, take care of the datas,
>> not hand out my password or transfer data onto unencrypted memory
>> sticks/laptops and leave them in taxis etc.
>> I am generally in favor of these and usually have no problems appending my
>> signature but the difference between the old and new policy is the
>> following:
>> "I further understand that I am responsible for any transactions carried
>> out under my personal password and code"
>> I have no confidence that it wouldn't be trivial for someone to get hold
>> of my user-name and password by methods which don't involve me being
>> irresponsible.
>> Any advice would be very helpful before i make a nuisance of myself.
>> thanks
>> mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the ukcrypto mailing list