Many churches have annual audits performed by CPA firms, often to satisfy the terms of building loans or to help demonstrate integrity in their finances to a watching world. Both are good reasons.
And these days, auditors are also paying attention to potential IT issues. This is part of their due diligence to see if things are being done correctly. However, many of those auditors do not have professional IT training or experience, but simply work through a series of scripted questions and record the responses.
Even so, through this process, CPAs have heightened everyone’s sense of appropriate IT security. Some things they brought attention to are very good, such as locked server rooms. However, on password strategies, they may have hurt us by recommending we change passwords every 90 days. The practice of changing passwords so often in churches actually lowers security! When employees or volunteers change passwords, they’re often written on Post-It® notes or taped on monitors and displays.
On March 2, 2016, the website operated by the Federal Trade Commission (FTC) published a post stating that policies requiring regular password changes were “less beneficial than previously thought, and sometimes even counterproductive.”
The post goes on to reference two studies that caused researchers to draw the conclusion that “frequent mandatory [password] expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely.”
What I recommend, instead, is the following password policy:
- Passwords must be a minimum of seven characters and include uppercase and lowercase alpha characters, numbers, and common punctuation.
- Passwords must never be shared with others, and they never expire. They will be replaced if a breach occurs.
- Passwords can only be set by the IT department and are maintained in an encrypted file for reference.
This policy makes for easy-to-remember passwords since it accommodates most Bible verse references. It also helps to eliminate the Post-It® note issue. If people tell IT they need a new password because they shared it with someone, IT can give them a new one and update their documentation. If someone does that often, the situation should be referred to leadership for possible action.