IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.22 Escrow of passwords
Initiation responsibility: Head of IT section
Implementation responsibility: IT-user
If access to an IT system is protected by means of a password, provisions must
be made to ensure that, in case of absence of a staff member, e.g. vacation or
illness, his/her substitute will have access to the IT system. For this purpose,
the current password must be deposited by each staff member in an
appropriate place (in a sealed envelope) and must be updated whenever the
password is altered. If the need arises to use that escrowed password, this
should be done according to the two-person rule.
In the case of telecommuters, it should be ensured that their passwords are
also deposited at the institution, so that if an emergency arises, a stand-in can
access the data stored on the telecommuting computer.
For all systems attended to by administrators, especially for networked
systems, regular inspections must ensure that the current system administrator
password has been escrowed.
Additional controls:
- Are the escrowed passwords complete and up to date?
- Have provisions been made to ensure proper use of the given escrowed
password?
- Is the system of password changes being controlled on the basis of the
updating entries for escrowed passwords?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000