Friday, October 14, 2011

Part 2: On Passwords, Password Policies, and Teaching

I noted in yesterday's post that I used the answers to drive a conversation with a student employee, but didn't provide details. I was asked what the assignment was, and thought that it might be of interest.

I provided the initial question, and my response about what drives institutional policy - essentially what I summarized here. The assignment was:

Explain how you would answer this question for a user, and for IT management, and how your policy might differ for each of these environments:

  • A large multinational corporation
  • A commercial website like Amazon, or a cloud service like Dropbox or Picasa
  • A small company or non-profit
This sort of thought exercise is one that I feel is crucial for those who are learning information security, and is similar to questions I ask my employees when we discuss why our policies are what they are.

No comments: