security policy question
Siraj Shaikh
siraj.shaikh at gmail.com
Tue Mar 5 12:40:30 GMT 2013
Is it worth exploring/clarifying the level of liability incurred by the
employee? Or the split across the institution and the employee? The
allocation of people/resources made available to you depends on this.
Also, are we assuming that this will always be due to an employee? What
happens when a password is compromised due to a direct decision made by the
employer?
A possibly silly question: are there any insurance policies that would
cover people against such work-related liabilities?
Siraj
On 5 Mar 2013 11:29, "Martin Hepworth" <maxsec at gmail.com> wrote:
> I suggest this is trying to make you think twice about sharing passwords
> and the like, but it does seem poorly worded and under evidence they'd have
> to prove it wasnt you anyway (innocent until proved guiltly).
>
> I see your point though, esp if you have quite a powerfull account with
> access to lots of sensitive data.
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 4 March 2013 23:29, Root <root at mikieboy.net> wrote:
>
>> Hi All,
>>
>> I am not sending this from my usual account as gmail seems to have hit
>> various blacklists. Even though the 2 factor auth and MITM detection seems
>> to be a good thing in a web-mail service. So instead i am probably going
>> to
>> be giving spamd on this OBSD box a good work out.
>>
>> I am looking for a bit of advice.
>> I work for part of the NHS and was recently given a new version of our
>> security policy to sign.
>> It contains the usual i will be a good citizen, take care of the datas,
>> not hand out my password or transfer data onto unencrypted memory
>> sticks/laptops and leave them in taxis etc.
>>
>> I am generally in favor of these and usually have no problems appending my
>> signature but the difference between the old and new policy is the
>> following:
>> "I further understand that I am responsible for any transactions carried
>> out under my personal password and code"
>>
>> I have no confidence that it wouldn't be trivial for someone to get hold
>> of my user-name and password by methods which don't involve me being
>> irresponsible.
>>
>> Any advice would be very helpful before i make a nuisance of myself.
>>
>> thanks
>> mike
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20130305/55fdb997/attachment-0001.html>
More information about the ukcrypto
mailing list