Educause Security Discussion mailing list archives
Re: Authorizing password changes in a health science center
From: "Penn, Blake" <pennb () UWW EDU>
Date: Tue, 13 Feb 2007 15:20:28 -0600
I've seen the third factor (something you have) used in such applications in the past - like handing out grid cards to your employees and have the access management dept use the corresponding software to issue the challenges based on the serial number of the employee's card. Employees have to remember to report lost/stolen cards immediately, of course! ___________________________________________ Blake Penn, CISSP Information Security Officer University of Wisconsin-Whitewater (p) 262-472-7792 (f) 262-472-1285 pennb () uww edu | http://www.uww.edu/security *************************************************** From: David Grisham [mailto:DGrisham () SALUD UNM EDU] Sent: Tuesday, February 13, 2007 2:40 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Authorizing password changes in a health science center The hospital has for a long time required a facsimile of the identification badge each time a password change is requested. It is a new century end programs like Photoshop presented a new risk to that process. We do not want to ask for personal information on any email or phone call request. (Our staff could be around others who might take advantage of that information, if overheard) We have added password challenge questions for half of our systems. The patient systems cannot be placed into a web page challenge at this time. What do your account groups do to verify the identity of some one needing a password change to systems with confidential information? Cheers. -grish David D. Grisham, Ph.D., CISM, CHS, CHSP Manager, IT Security, UNM Hospitals, Information Technology 1650 University Blvd, S.500, Albuquerque, NM 87102 Ph: (505) 272-5657 FAX 272-3305 Work email: dgrisham () salud unm edu Adjunct Faculty, Computer Science, UNM Academic & personal email: dave () unm edu
Current thread:
- Authorizing password changes in a health science center David Grisham (Feb 13)
- <Possible follow-ups>
- Re: Authorizing password changes in a health science center Penn, Blake (Feb 13)
- Re: Authorizing password changes in a health science center Steve Devoti (Feb 13)