S 2.97 Correct procedure for code locks

Initiation responsibility: IT Security Officer

Implementation responsibility: User

If protective cabinets with mechanical or electronic code locks are used, the code for these locks must be changed:

• after purchase,
• when there is a change of user,
• after opening in the absence of the user,
• if it is suspected that the code was made known to an unauthorised person and
• at least once every twelve months.

The code cannot consist of numbers which are easy to determine (e.g. personal data, arithmetical sequences).

Each valid code of a code lock must be recorded and escrowed in a secure place (see S 2.22 Escrow of passwords in a similar application). It should be noted that escrowing of the code in the associated protective cabinet is pointless.

If the protective cabinet has a further lock in addition to a code lock, a judgement should be made as to whether the code and the key are deposited together, which would allow quicker access in an emergency, or separately, so that it is more difficult for an attacker to gain access.

Review questions:

• Are there rules for changing the code of code locks on protective cabinets?
• Are no character strings used which are easy to determine when selecting the code?
• Are the valid codes escrowed in a secure place?
• Protective cabinet with code and key: Are there rules specifying whether they should be stored separately or together?