Re: Authorizing password changes in a health science center

["Penn, Blake" <pennb () UWW EDU>]

I've seen the third factor (something you have) used in such
applications in the past - like handing out grid cards to your employees
and have the access management dept use the corresponding software to
issue the challenges based on the serial number of the employee's card.
Employees have to remember to report lost/stolen cards immediately, of
course!
  
___________________________________________
Blake Penn, CISSP                             
Information Security Officer          
University of Wisconsin-Whitewater
(p) 262-472-7792 (f) 262-472-1285
pennb () uww edu | http://www.uww.edu/security

***************************************************

From: David Grisham [mailto:DGrisham () SALUD UNM EDU] 
Sent: Tuesday, February 13, 2007 2:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Authorizing password changes in a health science
center

The hospital has for a long time required a facsimile of the
identification badge each time a password change is requested.  It is a
new century end programs like Photoshop presented a new risk to that
process.  We do not want to ask for personal information on any email or
phone call request.  (Our staff could be around others who might take
advantage of that information, if overheard)
We have added password challenge questions for half of our systems.  The
patient systems cannot be placed into a web page challenge at this time.
What do your account groups do to verify the identity of some one
needing a password change to systems with confidential information?
 
 
Cheers. -grish
David D. Grisham, Ph.D., CISM, CHS, CHSP
Manager, IT Security, UNM Hospitals, Information Technology
1650 University Blvd, S.500, Albuquerque, NM 87102
Ph: (505) 272-5657 FAX 272-3305
Work email: dgrisham () salud unm edu
Adjunct Faculty, Computer Science, UNM
Academic & personal email: dave () unm edu