Perhaps anecdotal, but I have never got any negative response on answering “no, we do not enforce password rotation as this is against NIST recommendations.”
Unfortunately that's not how it plays out in most large organizations, which have separate network, hypervisor, security, etc., teams. Everyone works off a playbook, whose origins are usually lost in time and space.
If you want them to change the playbook, it'll involve some schlub having to run from pillar to post between those organizations, trying to get everyone to agree to a change to this policy, and you can bet he or she is not paid or motivated to do this. If another vendor comes along who will go with the flow, they get the sale.
Every organization I’ve worked for has been able to change policies at will. I’ve written them for half a dozen. I don’t particularly like writing policies but if you do you’ll be able to remove the absurd and broken parts.
suid|1 year ago
If you want them to change the playbook, it'll involve some schlub having to run from pillar to post between those organizations, trying to get everyone to agree to a change to this policy, and you can bet he or she is not paid or motivated to do this. If another vendor comes along who will go with the flow, they get the sale.
more_corn|1 year ago