Case Study

Company X has decided to move from eight$-$character passwords that are rotated every $60$ days and require three of the following four requirements: upper case character, lower case character, number, special character. They are moving to $14+$ character passphrases that will be rotated every $365$ days or if an event occurs $($e$.$g$.,$ credential compromise$).$

Prior to this transition, the company had required eight$-$character passwords for many years. This was a global policy, applying to every region of the world, including at least $14$ different languages at various locations, including France.

The company maintains over $1,000$ systems$/$applications that require usernames and passwords. Some of these systems are "legacy" or past end$-$of$-$life. The service desk supports end$-$users, and the Human Resources department holds the system of record for associate records.

The company has a hybrid model using an on$-$premise active directory in addition to an Azure active directory. Additionally, the identity and access management systems are eight years old. When it was implemented, it was highly customized with hard$-$coded changes, including the number of days for rotation. It is now end$-$of$-$life, and the vendor will provide only limited support. The organizations that support these two systems$/$applications are different.

A core team within IT was identified to make this change. They were assigned a project manager, who is helping them to develop a communication plan. As you can imagine, a change that will be this broad and technical will require multiple levels of communication required to a wide array of stakeholders.

The goal is to complete this transition over a $90-$day period. Every employee will be impacted by this change and required to change their password to a passphrase. At the end of the $90$ days, the results will be communicated to the executive team and to the board of directors.Who do you see as the primary stakeholders and what do you think is relevant to communicate to them?

Based on the key stakeholders, how would you plan to communicate with them?

What problems can you forecast based on the information provided and how might you avoid them?

What role do you see communication and relationships playing in your future in cybersecurity?