We recently had an IT system installed for document control. This has the usual username/password control. But what freaked me out was seeing that the passwords are not only stored in clear text in the database, but they're also shown to the admin girls! I've had to change passwords on other systems now, to ensure the integrity of those systems.
The supplier contends that we did not specify password encryption. But I'm sure there's something in the DPA which says that information should be kept secure, so therefore he should be doing it simply to comply with the law. Please tell me where, what clauses etc apply if this is the case.
Thanks
2006-12-19 05:08:52 · 1 answers · asked by Geoff M 5 in Politics & Government ➔ Law & Ethics
The system was "designed" by the admin dept with no assistance from the software dept (which I'm in charge of). I guess I should have demanded that I see the specs before they go out but then I don't have much time. Whenever we, as softies, write software that involves usernames, passwords are de rigeur - the end-user doesn't need to ask for them, it's just "good programming practice".
Although we have access to the database, we don't have access to the software. So if we encrypted the fields, then the vendor would have to change the software as well. I'm trying to avoid the cost of this by pointing out that it should have been done in the first place. After all, how deep can specifications go? Do we need to specify every last minute detail? The spec would have thousands of requirements if that were the case!
[If I had my way, we would have gone for a COTS product...]
2006-12-19 05:29:18 · update #1
First thing to check is your contract with the vendor. Does it specify password encryption or that it be SOX compliant? If so, you have a breech of contract. If not, I would have to ask if anyone in your IT department has had any experience in dealing with software vender's?
That said, what do you do now. Depending on your computer system, you can encrypt the file the passwords are stored in. This would not require any changes by the vendor. If your hardware or operating system cannot do encryption, then you'll have to get the vendor to change their software. This may come with a "consulting" charge that can be quite expensive. If neither of these are a good option for you, then you will need to decide if the software is really what you want on your system.
2006-12-19 05:21:48 · answer #1 · answered by c.s. 4 · 0⤊ 0⤋