What is your workplace policy on divulging account passwords to IT?

Question

This is an 'asking for a friend' situation, with the friend in question being pressured by their company's IT department to divulge their password (so as to facilitate updates more easily). This person is relatively high up in the company, and handles IP that is both valuable and sensitive.My advice to them was that in the absence of a company-wide directive that absolved them of any and all repercussions from the sharing of their password they shouldn't give it up.However, I wondered how other companies (big and small) handled this. What's your experience?

byoung2 · Accepted Answer

IT should have a system of roles and permissions that allows administrators to log in as other user if necessary to install updates or reset passwords. This access should be logged and ideally periodically audited by a 3rd party. Sharing a password is dangerous because it is impossible to determine who used the password to perform a malicious act.