Re: Password Expatriation notification

[Ozzie Paez <ozpaez () SPRYNET COM>]

Notifications across a campus or any large organization is becoming a
challenge, particularly when you need quick acknowledgment and response.  We
looked at the information that came out of the Virginia Tech attacks a few
years ago and other emergency events, and quickly spotted the effects of
technology and generations on overall notification effectiveness.  A key
mechanism in play is transgenerational human factor effects on the
notification processes and procedures.  

> From a technology perspective, we note that generations, which were defined
along 10 to 15 year periods, must now be defined as 5 to 7 years or less,
with each having their primary/preferred communication methods and
technologies.  So, 'older generations' in the 38-45 year old range are
accustomed to pager technologies, those in the 30-37 rely on e-mails to a
greater degree than those in the 23-29 range, who grew up with cell phones.
Texting is much more prevalent among those 22 and younger, most of whom have
little or no memory of corded phones.  Those 22 and younger also do not
remember a time when cell phones were not readily available.  So, when
designing an effective notification system for time sensitive events, it is
wise to consider transgenerational human factor effects by assessing the
generations within the community and ensuring that notifications go out
using the various preferred/popular methods and technologies in use.  

A related effectiveness factor relates to the methods and processes that can
cut through the social e-chatter, which leaves people oblivious to
traditional attention grabbing queues.  By the way, if a vendor tells you
that they have a long term solution, consider it carefully and make sure
that the preferred system is inherently flexible and extensible.  Each new
e-generation will bring along new technologies and social use rules, meaning
that notifications systems do not work well when approached from a static
point in time design perspective.  Instead, a process needs to be in place
to reassess and validate assumptions, and make adjustments as conditions
change.  Sorry for the long epistle, but this is an important are that we
often find lacking,

Regards,

Ozzie Paez
SSE/SAIC
303-332-5363   

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dergenski, Todd A.
Sent: Monday, August 23, 2010 8:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Expatriation notification

This very topic came up in a meeting this morning.  Our solution is multiple
avenues of notification.  We send mails (30, 14 and 7 days out) and also
have the lab machines prompt a notification under 30.  Additionally, we will
be modifying our single sign on to display a notification page under 30 and
do a redirect under 3.  Messages in our portal are also planned, but are
hold until we can come up with more content.  They don't like a dedicated
box that is empty most of the time.

I would recommend to find a service that everyone logs into regularly and
see if you can get the message there. 

Todd Dergenski
Old Dominion University
Senior Security Administrator
4700 Elkhorn Ave - Room 4300
Norfolk, Va, 23529 USA

(757) 683-4301
tdergens () odu edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton
Sent: Saturday, August 21, 2010 1:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Expatriation notification

On 18/08/2010, at 6:44 AM, James Farr '05 wrote:

> We recently implemented a policy where the users receives an email 30 days
> before the password is set to expire.   Sure enough people thought this
was
> a phishing attempt.   However, since we have some off campus users that
may
> never step foot on campus email seemed to be the only way to notify
> everyone.



I have had this problem notifying people about possibly compromised
credentials too.

After a bit of toing and froing we managed to convince the keepers of the
university home page to add a password change link to the list of quick
links on www.auckland.ac.nz.   Now we can tell folk how to change password
easily without giving any urls.  We will use the same technique when we
start expiring passwords later this year.

Russell