Ignorance is Not a Control

A few years ago, one cold winter morning on her way to work, with 10-12 inches of snow on the ground, a young lady who I worked with locked herself out of her car while it sat in the driveway of her home. Not only had she locked her car keys in the car, but she had also locked her house key in the car, and the house was locked too. Her spare keys were, of course, in the house. Finding that she could not enter via the front door, she scrambled around the house, wearing high heels and a dress, in 12 inches of snow looking for an open window. She was finally able to find a window that she could jimmy open enough for her to ungracefully crawl through and thus obtain access to her house and her spare keys.

She marched triumphantly out to her car, opened the driver's side and slid into the seat. It was at that moment that she realized that the passenger side door had been open all the time. High tech car door security had not kept her out; her ignorance had.

A phrase often used by auditors is, ‘ignorance is not a control’. For the manager, supervisor or IT security person, this means several things. First, make sure you have policies around security practices such as passwords and user IDs. Second, even if you have password and user policies, don’t assume they are followed. Finally, even if they were followed once upon a time, don’t presume that they are still being followed in all cases today. You should perform regular audits of users and their passwords to ensure that your company policies are being followed.

You may believe that your systems are safe and secure because you are observing only the way your password is set up and operating. All the while, figuratively speaking, your passenger door may be unlocked and allowing the wrong people to have access to your ‘car’. inContact has a flexible security model that allows its customers to create their own level of password strength. inContact customers can use preset default password strengths that specify how many and what types of characters can be used in passwords, as well as number of attempts and how long passwords live. Customers can also define and create their own custom password strength profiles.

The complexity of your passwords should be in line with your company policies and reflect the level of access the user requires. Weak profiles should be avoided. Periodic audits should be performed to validate that users have the appropriate level of access, that their password and user name conventions are in line with company policies and that there are no instances of ex-employees who still have access to the system. inContact's security model is designed to ensure that the right people can have access to the right information. Ignorance is not part of that security model, nor is it a control. Good software models require application of best practices to be effective. Be sure to audit your policies, users and passwords to ensure the security of your inContact environment.