Educause Security Discussion mailing list archives
Re: SECURITY Digest - 26 Aug 2010 to 27 Aug 2010 (#2010-182)
From: Erwin Carrow <Erwin.Carrow () USG EDU>
Date: Mon, 30 Aug 2010 09:53:44 -0400
I am in agreement with much that has been stated - but the criticality regarding HIPAA compliance can be answered with one question. "Is the information being communicated / exchanged via 'trusted' paths (source, destination, access control, data at rest, etc)?" If you can effectively justify and defend your response -- compliance is not an issue. From my experience most cannot and therefore encryption is not just requirement, but an act of due diligence / standard of care! -Chris Erwin (Chris) Louis Carrow, CISSP, INFOSEC, CCSP, CCNP, OCM IT Audit Director, Office of Internal Audit and Compliance Board of Regents, University System of Georgia Office of Internal Audit and Compliance 270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334 (404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax Email: erwin.carrow () usg edu **********CONFIDENTIALITY NOTICE**************** This e-mail and any attachments may contain private, confidential, and privileged information for the sole use of the intended recipient. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please contact the sender, keep the contents confidential and immediately delete the message and any attachments from your system. *********************************************** -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY automatic digest system Sent: Saturday, August 28, 2010 12:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: SECURITY Digest - 26 Aug 2010 to 27 Aug 2010 (#2010-182) There are 7 messages totalling 1706 lines in this issue. Topics of the day: 1. HIPAA Requires Encryption? (2) 2. Lockout Settings (5) ---------------------------------------------------------------------- Date: Thu, 26 Aug 2010 22:17:48 -0600 From: Ozzie Paez <ozpaez () SPRYNET COM> Subject: Re: HIPAA Requires Encryption? This is a multi-part message in MIME format. ------=_NextPart_000_0660_01CB456C.8499FD60 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Dear Mike, Yours is a very logical approach and I cannot disagree with you technically, however, the regulatory environment has factors, which often drive a decision. When it comes to sensitive personal information such as what we deal with in HIPAA, there is always the issue of liability and its attractive effects on attorneys. In that light, some things are simply expected and when they are not there, the organization's liability based on perception increases significantly. Explaining to a jury why technically encryption is not necessary takes time and exposes any technical argument to a counter technical argument. In the end, the jury may well throw up its hands and cancel the experts out, which leaves the attorney with the simple question of "How could they justify leaving this data unencrypted just to save a few dollars?" or "Everyone knows that encryption protects privacy and yet they did not care enough to spend a few dollars more to protect my clients' most private information?" Anyway, my two cents worth is that it is just not worth the risk because encryption has become a kind of expected elixir, which, whether effective or not, affects overall risks and liabilities - Great points in your e-mail though - Ozzie From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL Sent: Thursday, August 26, 2010 9:34 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HIPAA Requires Encryption? Doesn't the question of "should we encrypt" vs "do we have to encrypt" with ANY kind of data, (HIPAA, or any other) also depend on the state of the data? Is the data "at rest" and other protections are already in place?.....or is the data "in transit" and open? (ie, being e-mailed or copied across WAN links?).....or is the data "in use", and still protected because there's an authorized user monitoring the screen...?? I used to deal with highly sensitive data and for us, it always came down to "....it depends...". Policy always had to come down to the circumstances behind the how, why, where, and when associated with the use of the data....trying to adhere to a "one policy fits all" situation was a losing proposition.... Just my $.02..... M _____ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ozzie Paez [ozpaez () SPRYNET COM] Sent: Thursday, August 26, 2010 9:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HIPAA Requires Encryption? Hey Matthew, HIPAA does not require it, but any reasonable cost estimate will show that it is worth it. The risks and costs of dealing with unencrypted lost data is so much higher that it is a risk not worth taking, particularly if you already have the infrastructure in place. Hope it helps, Ozzie Paez SSE/SAIC 303-332-5363 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Link Sent: Thursday, August 26, 2010 2:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] HIPAA Requires Encryption? Very recently, I inherited the job of focusing information security efforts. In the process of upgrade of a SQL server, a question has arisen regarding the provision in HIPAA (Addressable) to encrypt EPHI at rest on both the server and the backup media. It does come at some additional cost, though it's manageable. Before proceeding, however, I thought I'd ask if anyone has suggestions. Thanks, --Matthew Link. Director, User Services Information Services, UCM 660-543-8063 link () ucmo edu -- This message has been scanned for viruses and dangerous content by <http://www.mailscanner.info/> MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by <http://www.mailscanner.info/> MailScanner, and is believed to be clean. ------=_NextPart_000_0660_01CB456C.8499FD60 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:x=3D"urn:schemas-microsoft-com:office:excel" = xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" = xmlns:a=3D"urn:schemas-microsoft-com:office:access" = xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" = xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" = xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" = xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" = xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" = xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" = xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" = xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" = xmlns:html=3D"http://www.w3.org/TR/REC-html40" = xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" = xmlns:rtc=3D"http://microsoft.com/officenet/conferencing" = xmlns:D=3D"DAV:" xmlns:Repl=3D"http://schemas.microsoft.com/repl/" = xmlns:mt=3D"http://schemas.microsoft.com/sharepoint/soap/meetings/" = xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml" = xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd" = xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" = xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/" = xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" = xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp" = xmlns:udc=3D"http://schemas.microsoft.com/data/udc" = xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" = xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"= xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" = xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" = xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/" = xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" = xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/soap" = xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" = xmlns:udcp2p=3D"http://schemas.microsoft.com/data/udc/parttopart" = xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/" = xmlns:dsss=3D"http://schemas.microsoft.com/office/2006/digsig-setup" = xmlns:dssi=3D"http://schemas.microsoft.com/office/2006/digsig" = xmlns:mdssi=3D"http://schemas.openxmlformats.org/package/2006/digital-sig= nature" = xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006= " xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = xmlns:mrels=3D"http://schemas.openxmlformats.org/package/2006/relationshi= ps" xmlns:spwp=3D"http://microsoft.com/sharepoint/webpartpages" = xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types"= = xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/services/2006/messag= es" = xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/= " = xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPortalServer/Pub= lishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" = xmlns:st=3D"" xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)"> <!--[if !mso]> <style id=3DowaTempEditStyle> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} @font-face {font-family:"Lucida Grande";} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-believe-normal-left:yes;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} p {mso-style-priority:99; margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman","serif";} p.msochpdefault, li.msochpdefault, div.msochpdefault {mso-style-name:msochpdefault; margin:0in; margin-bottom:.0001pt; font-size:10.0pt; font-family:"Times New Roman","serif";} span.emailstyle18 {mso-style-name:emailstyle18; font-family:"Calibri","sans-serif"; color:#1F497D;} span.EmailStyle20 {mso-style-type:personal-reply; font-family:"Calibri","sans-serif"; color:#1F497D;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} --> </style> <![if mso 9]> <style> p.MsoNormal {margin-left:3.0pt;} </style> <![endif]><!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple = style=3D'margin-left:3.0pt;margin-top: 3.0pt;margin-right:3.0pt;margin-bottom:.75pt'> <div class=3DWordSection1> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Dear Mike,<o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Yours is a very logical approach and I cannot disagree = with you technically, however, the regulatory environment has factors, which = often drive a decision. When it comes to sensitive personal information such = as what we deal with in HIPAA, there is always the issue of liability and its attractive effects on attorneys. In that light, some things are = simply expected and when they are not there, the organization’s liability = based on perception increases significantly. Explaining to a jury why = technically encryption is not necessary takes time and exposes any technical = argument to a counter technical argument. In the end, the jury may well throw up = its hands and cancel the experts out, which leaves the attorney with the = simple question of “How could they justify leaving this data unencrypted = just to save a few dollars?” or “Everyone knows that = encryption protects privacy and yet they did not care enough to spend a few dollars = more to protect my clients’ most private information?” = Anyway, my two cents worth is that it is just not worth the risk because encryption = has become a kind of expected elixir, which, whether effective or not, = affects overall risks and liabilities – <o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Great points in your e-mail though – = <o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Ozzie<o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p> <div> <div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt = 0in 0in 0in'> <p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>= </b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> The = EDUCAUSE Security Constituent Group Listserv = [mailto:SECURITY () LISTSERV EDUCAUSE EDU] <b>On Behalf Of </b>SCHALIP, MICHAEL<br> <b>Sent:</b> Thursday, August 26, 2010 9:34 PM<br> <b>To:</b> SECURITY () LISTSERV EDUCAUSE EDU<br> <b>Subject:</b> Re: [SECURITY] HIPAA Requires = Encryption?<o:p></o:p></span></p> </div> </div> <p class=3DMsoNormal><o:p> </o:p></p> <div> <div> <p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>= Doesn't the question of "should we encrypt" vs "do we have to encrypt" with ANY kind of data, (HIPAA, or any other) also depend = on the state of the data? Is the data "at rest" and other = protections are already in place?.....or is the data "in transit" and = open? (ie, being e-mailed or copied across WAN links?).....or is the data "in use", and still protected because there's an authorized user = monitoring the screen...??<o:p></o:p></span></p> </div> <div> <p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>= <o:p></o:p></span></p> </div> <div> <p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>= I used to deal with highly sensitive data and for us, it always came down to "....it depends...". Policy always had to come down to = the circumstances behind the how, why, where, and when associated with the = use of the data....trying to adhere to a "one policy fits all" = situation was a losing proposition....<o:p></o:p></span></p> </div> <div> <p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>= <o:p></o:p></span></p> </div> <div> <p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>= Just my $.02.....<o:p></o:p></span></p> </div> <div> <p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>= <o:p></o:p></span></p> </div> <div> <p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>= M<o:p></o:p></span></p> </div> <div> <p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>= <o:p></o:p></span></p> </div> <div id=3DdivRpF264755> <div class=3DMsoNormal align=3Dcenter = style=3D'margin:0in;margin-bottom:.0001pt; text-align:center'><span = style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"; color:black'> <hr size=3D2 width=3D"100%" align=3Dcenter> </span></div> <p class=3DMsoNormal = style=3D'mso-margin-top-alt:0in;margin-right:0in;margin-bottom: 12.0pt;margin-left:0in'><b><span = style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"; color:black'>From:</span></b><span = style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"; color:black'> The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ozzie Paez = [ozpaez () SPRYNET COM]<br> <b>Sent:</b> Thursday, August 26, 2010 9:19 PM<br> <b>To:</b> SECURITY () LISTSERV EDUCAUSE EDU<br> <b>Subject:</b> Re: [SECURITY] HIPAA Requires = Encryption?<o:p></o:p></span></p> </div> <div> <div> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Hey Matthew,</span><span = style=3D'color:black'><o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>HIPAA does not require it, but any reasonable cost = estimate will show that it is worth it. The risks and costs of dealing with = unencrypted lost data is so much higher that it is a risk not worth taking, = particularly if you already have the infrastructure in place. Hope it = helps,</span><span style=3D'color:black'><o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Ozzie Paez<br> SSE/SAIC<br> 303-332-5363</span><span style=3D'color:black'><o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:black'> <o:p></o:p></span></p> <div> <div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt = 0in 0in 0in'> <p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>= From:</span></b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>= The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] <b>On Behalf Of </b>Matthew = Link<br> <b>Sent:</b> Thursday, August 26, 2010 2:19 PM<br> <b>To:</b> SECURITY () LISTSERV EDUCAUSE EDU<br> <b>Subject:</b> [SECURITY] HIPAA Requires Encryption?</span><span style=3D'color:black'><o:p></o:p></span></p> </div> </div> <p class=3DMsoNormal><span = style=3D'color:black'> <o:p></o:p></span></p> <p><span style=3D'font-family:"Lucida Grande";color:black'>Very = recently, I inherited the job of focusing information security efforts. In the process of upgrade of a SQL server, a question has arisen regarding the provision in HIPAA (Addressable) to encrypt EPHI at rest on both the = server and the backup media. It does come at some additional cost, though = it's manageable. Before proceeding, however, I thought I'd ask if = anyone has suggestions.</span><span style=3D'color:black'> <o:p></o:p></span></p> <p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span style=3D'color:black'> <o:p></o:p></span></p> <p><span style=3D'font-family:"Lucida = Grande";color:black'>Thanks,</span><span style=3D'color:black'> <o:p></o:p></span></p> <p><span style=3D'font-family:"Lucida Grande";color:black'>--Matthew = Link.</span><span style=3D'color:black'> <o:p></o:p></span></p> <p><span style=3D'font-family:"Lucida = Grande";color:black'> Director, User Services</span><span style=3D'color:black'> <o:p></o:p></span></p> <p><span style=3D'font-family:"Lucida = Grande";color:black'> Information Services, UCM</span><span style=3D'color:black'> <o:p></o:p></span></p> <p><span style=3D'font-family:"Lucida = Grande";color:black'> 660-543-8063</span><span style=3D'color:black'> <o:p></o:p></span></p> <p><span style=3D'font-family:"Lucida = Grande";color:black'> link () ucmo edu</span><span style=3D'color:black'> <o:p></o:p></span></p> </div> <p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>= <br> -- <br> This message has been scanned for viruses and <br> dangerous content by <a href=3D"http://www.mailscanner.info/" = target=3D"_blank"><b>MailScanner</b></a>, and is <br> believed to be clean. <o:p></o:p></span></p> </div> </div> <p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><br> -- <br> This message has been scanned for viruses and <br> dangerous content by <a = href=3D"http://www.mailscanner.info/"><b>MailScanner</b></a>, and is <br> believed to be clean. <o:p></o:p></p> </div> </body> </html> ------=_NextPart_000_0660_01CB456C.8499FD60-- ------------------------------ Date: Fri, 27 Aug 2010 10:25:16 -0400 From: Faith Mcgrath <faith.mcgrath () YALE EDU> Subject: Re: HIPAA Requires Encryption? As part of your risk assessment you may also want to review the HITECH=20 regs on breach notification for unsecured PHI and those specifications for=20 encryption for both data at rest and in motion (and for data=20 destruction). -Faith _____________________ 45 CFR Parts 160 and 164 Breach Notification for Unsecured Protected Health Information; Interim=20 Final Rule http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf [pg 42742-42743] Protected health information (PHI) is rendered unusable, unreadable, or=20 indecipherable to unauthorized individuals if one or more of the=20 following applies: (a) Electronic PHI has been encrypted as specified in the HIPAA Security=20 Rule by the use of an algorithmic process to transform data into a form=20 in which there is a low probability of assigning meaning without use of=20 a confidential process or key-2 and such confidential process or key=20 that might enable decryption has not been breached. To avoid a breach of=20 the confidential process or key, these decryption tools should be stored=20 on a device or at a location separate from the data they are used to=20 encrypt or decrypt. The encryption processes identified below have been=20 tested by the National Institute of Standards and Technology (NIST) and=20 judged to meet this standard. (i) Valid encryption processes for data at rest are consistent with=20 NIST Special Publication 800-11, Guide to Storage Encryption=20 Technologies for End User Devices.3 4 (ii) Valid encryption processes for data in motion are those which=20 comply, as appropriate, with NIST Special Publications 800-52,=20 Guidelines for the Selection and Use of Transport Layer Security (TLS)=20 Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL=20 VPNs, or others which are Federal Information Processing Standards=20 (FIPS) 140=C2-2 validated.5 (b) The media on which the PHI is stored or recorded have been destroyed=20 in one of the following ways: (i) Paper, film, or other hard copy media have been shredded or=20 destroyed such that the PHI cannot be read or otherwise cannot be=20 reconstructed. Redaction is specifically excluded as a means of data=20 destruction. (ii) Electronic media have been cleared, purged, or destroyed=20 consistent with NIST Special Publication 800-88, Guidelines for Media=20 Sanitization,6 such that the PHI cannot be retrieved." --=20 Faith McGrath, Compliance Officer Yale University ITS - Information Security faith.mcgrath () yale edu voice: 203.737.4087 security () yale edu || security.yale.edu Ozzie Paez wrote:
Dear Mike, Yours is a very logical approach and I cannot disagree with you technically, however, the regulatory environment has factors, which often drive a decision. When it comes to sensitive personal information such as what we deal with in HIPAA, there is always the issue of liability and its attractive effects on attorneys. In that light, some things are simply expected and when they are not there, the organization=92s liability based on perception increases significantly. Explaining to a jury why technically encryption is not necessary takes time and exposes any technical argument to a counter technical argument. In the end, the jury may well throw up its hands and cancel the experts out, which leaves the attorney with the simple question of =93How could they justify leaving this data unencrypted just to save a few dollars?=94 or =93Everyone knows that encryption protects privacy and yet they did =
not
care enough to spend a few dollars more to protect my clients=92 most private information?=94 Anyway, my two cents worth is that it is just n=
ot
worth the risk because encryption has become a kind of expected elixir, which, whether effective or not, affects overall risks and liabilities =
=96
Great points in your e-mail though =96 Ozzie *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *SCHALIP, MICHAEL *Sent:* Thursday, August 26, 2010 9:34 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] HIPAA Requires Encryption? Doesn't the question of "should we encrypt" vs "do we have to encrypt" with ANY kind of data, (HIPAA, or any other) also depend on the state o=
f
the data? Is the data "at rest" and other protections are already in place?.....or is the data "in transit" and open? (ie, being e-mailed or copied across WAN links?).....or is the data "in use", and still protected because there's an authorized user monitoring the screen...?? I used to deal with highly sensitive data and for us, it always came down to "....it depends...". Policy always had to come down to the circumstances behind the how, why, where, and when associated with the use of the data....trying to adhere to a "one policy fits all" situatio=
n
was a losing proposition.... Just my $.02..... M -----------------------------------------------------------------------=
-
*From:* The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ozzie Paez [ozpaez () SPRYNET COM] *Sent:* Thursday, August 26, 2010 9:19 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] HIPAA Requires Encryption? Hey Matthew, HIPAA does not require it, but any reasonable cost estimate will show that it is worth it. The risks and costs of dealing with unencrypted lost data is so much higher that it is a risk not worth taking, particularly if you already have the infrastructure in place. Hope it h=
elps,
Ozzie Paez SSE/SAIC 303-332-5363 *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Matthew Link *Sent:* Thursday, August 26, 2010 2:19 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] HIPAA Requires Encryption? Very recently, I inherited the job of focusing information security efforts. In the process of upgrade of a SQL server, a question has arisen regarding the provision in HIPAA (Addressable) to encrypt EPHI a=
t
rest on both the server and the backup media. It does come at some additional cost, though it's manageable. Before proceeding, however, I thought I'd ask if anyone has suggestions. Thanks, --Matthew Link. Director, User Services Information Services, UCM 660-543-8063 link () ucmo edu -- This message has been scanned for viruses and dangerous content by *MailScanner* <http://www.mailscanner.info/>, and =
is
believed to be clean. -- This message has been scanned for viruses and dangerous content by *MailScanner* <http://www.mailscanner.info/>, and =
is
believed to be clean.
Save a tree - please consider the environment before printing this email. Please be aware that email communication can be intercepted in=20 transmission or misdirected. Please consider communicating any sensitive=20 information by telephone, fax or mail. The information contained in this=20 message may be privileged and confidential. If you are NOT the intended=20 recipient, please notify the sender immediately and destroy this=20 message. If you wish to confirm the content of this message and/or the=20 identity of the sender please contact me at the phone number given above. ------------------------------ Date: Fri, 27 Aug 2010 13:22:27 -0700 From: "Plesco, Todd" <tplesco () CHAPMAN EDU> Subject: Lockout Settings I'd like to get everyone's feedback on their current enterprise settings = for screen lockout. This discussion has re emerged for us as we roll = out Sharepoint with Windows Authentication (rather than through an ISA = server) which will provide portals (without a second login/password = requirement) into some applications which maintain sensitive data. Is = everyone using a 15 minute screen lockout? Do you have Sharepoint? = Browser timeout? Todd A. Plesco=A0 CISM, CBCP Chapman University, Director of Information Security One University Drive, Orange, CA 92866 Phone: (714) 744-7979/Fax: (714) 744-7041 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv = [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob Sent: Thursday, June 11, 2009 12:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Timeout/Lockout Settings 15 minutes for us as well. There are a few exceptions like an OU for admissions counselors. Lock it when you leave it is ideal. =20 Jacob Barros Network Administrator Grace College -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Richard Sent: Wednesday, June 10, 2009 10:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Timeout/Lockout Settings I am curious to know how other peer institutions are setting up their timeout/lockout settings. =20 How are you enforcing the timeouts (pointsec, windows settings, screensaver,etc)? How long must the PC be inactive for the timeout setting to take effect? Do the time limits vary based on user? Thanks all! Adam Richard '05 IT Security Analyst/Operations Specialist Messiah College Hoffman 211 (717) 796-1800 x.6570 One College Ave. Information Technology Services Box 3055 Grantham, PA 17027 "ITS will never ask you for your password" ------------------------------ Date: Fri, 27 Aug 2010 13:36:56 -0700 From: "Radford, Jennifer" <jradford () INTAUDIT UBC CA> Subject: Re: Lockout Settings Hi Todd,
From an internal audit perspective, screen lockouts should be risk based. O=
bviously they are more important depending on the type of data that is invo= lved and that could potential by viewed / altered by unauthorised parties. = Sounds like you are dealing with sensitive data but if any of this is regul= ated data, e.g personally identifiable data, then this may raise the risk e= ven higher. Also, consideration should be given to what type of environment is in place= , e.g. open plan versus closed locked offices.=20 Lastly, users should be educated on the security risks of leaving open scre= ens unattended and policy should drive behaviour to get employees to 'cntl = alt delete' before they leave their desk. Once the above has been considered, management can make an informed decisio= n about whether to set at 10, 15, 20 etc minutes before screen lock out. Cheers, Jen Jennifer Radford, Senior IT Audit Manager Internal Audit, UBC 6000 Iona Drive, Vancouver, BC Canada V6T 1L4 Phone: 604-822-6512 Fax: 604-822-9027 E-mail: Jradford () intaudit ubc ca Web: www.intaudit.ubc.ca The information contained in this e-mail message is strictly confidential a= nd intended solely for the use of the designated addressee(s). Any unauthor= ized viewing, disclosure, copying or distribution of this e-mail is prohibi= ted and may be unlawful. If you have received this e-mail in error, please = do not read it, reply to the sender immediately to inform us that you are n= ot the intended recipient, and delete the e-mail from your computer system.= Thank you. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LIS= TSERV.EDUCAUSE.EDU] On Behalf Of Plesco, Todd Sent: Friday, August 27, 2010 1:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Lockout Settings I'd like to get everyone's feedback on their current enterprise settings fo= r screen lockout. This discussion has re emerged for us as we roll out Sha= repoint with Windows Authentication (rather than through an ISA server) whi= ch will provide portals (without a second login/password requirement) into = some applications which maintain sensitive data. Is everyone using a 15 mi= nute screen lockout? Do you have Sharepoint? Browser timeout? Todd A. Plesco=A0 CISM, CBCP Chapman University, Director of Information Security One University Drive, Orange, CA 92866 Phone: (714) 744-7979/Fax: (714) 744-7041 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LIS= TSERV.EDUCAUSE.EDU] On Behalf Of Barros, Jacob Sent: Thursday, June 11, 2009 12:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Timeout/Lockout Settings 15 minutes for us as well. There are a few exceptions like an OU for admissions counselors. Lock it when you leave it is ideal. =20 Jacob Barros Network Administrator Grace College -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Richard Sent: Wednesday, June 10, 2009 10:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Timeout/Lockout Settings I am curious to know how other peer institutions are setting up their timeout/lockout settings. =20 How are you enforcing the timeouts (pointsec, windows settings, screensaver,etc)? How long must the PC be inactive for the timeout setting to take effect? Do the time limits vary based on user? Thanks all! Adam Richard '05 IT Security Analyst/Operations Specialist Messiah College Hoffman 211 (717) 796-1800 x.6570 One College Ave. Information Technology Services Box 3055 Grantham, PA 17027 "ITS will never ask you for your password" ------------------------------ Date: Fri, 27 Aug 2010 16:53:15 -0400 From: "Sarazen, Daniel" <dsarazen () UMASSP EDU> Subject: Re: Lockout Settings --_000_BF662A4EE06D844081EA3B2DB8CCF22B0AD16ACAE4SSUMPEXCLUS01_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable We use 15 as the default, but some areas are set to as little as 5 (health = center, bursar, ect ) And controlled at the domain level so the user cannot disabled. Good luck -----Original Message----- From: Radford, Jennifer [jradford () INTAUDIT UBC CA] Received: 8/27/10 4:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU [SECURITY () LISTSERV EDUCAUSE EDU] Subject: Re: [SECURITY] Lockout Settings Hi Todd,
From an internal audit perspective, screen lockouts should be risk based. O=
bviously they are more important depending on the type of data that is invo= lved and that could potential by viewed / altered by unauthorised parties. = Sounds like you are dealing with sensitive data but if any of this is regul= ated data, e.g personally identifiable data, then this may raise the risk e= ven higher. Also, consideration should be given to what type of environment is in place= , e.g. open plan versus closed locked offices. Lastly, users should be educated on the security risks of leaving open scre= ens unattended and policy should drive behaviour to get employees to 'cntl = alt delete' before they leave their desk. Once the above has been considered, management can make an informed decisio= n about whether to set at 10, 15, 20 etc minutes before screen lock out. Cheers, Jen Jennifer Radford, Senior IT Audit Manager Internal Audit, UBC 6000 Iona Drive, Vancouver, BC Canada V6T 1L4 Phone: 604-822-6512 Fax: 604-822-9027 E-mail: Jradford () intaudit ubc ca Web: www.intaudit.ubc.ca<http://www.intaudit.ubc.ca> The information contained in this e-mail message is strictly confidential a= nd intended solely for the use of the designated addressee(s). Any unauthor= ized viewing, disclosure, copying or distribution of this e-mail is prohibi= ted and may be unlawful. If you have received this e-mail in error, please = do not read it, reply to the sender immediately to inform us that you are n= ot the intended recipient, and delete the e-mail from your computer system.= Thank you. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LIS= TSERV.EDUCAUSE.EDU] On Behalf Of Plesco, Todd Sent: Friday, August 27, 2010 1:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Lockout Settings I'd like to get everyone's feedback on their current enterprise settings fo= r screen lockout. This discussion has re emerged for us as we roll out Sha= repoint with Windows Authentication (rather than through an ISA server) whi= ch will provide portals (without a second login/password requirement) into = some applications which maintain sensitive data. Is everyone using a 15 mi= nute screen lockout? Do you have Sharepoint? Browser timeout? Todd A. Plesco CISM, CBCP Chapman University, Director of Information Security One University Drive, Orange, CA 92866 Phone: (714) 744-7979/Fax: (714) 744-7041 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LIS= TSERV.EDUCAUSE.EDU] On Behalf Of Barros, Jacob Sent: Thursday, June 11, 2009 12:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Timeout/Lockout Settings 15 minutes for us as well. There are a few exceptions like an OU for admissions counselors. Lock it when you leave it is ideal. Jacob Barros Network Administrator Grace College -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Richard Sent: Wednesday, June 10, 2009 10:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Timeout/Lockout Settings I am curious to know how other peer institutions are setting up their timeout/lockout settings. How are you enforcing the timeouts (pointsec, windows settings, screensaver,etc)? How long must the PC be inactive for the timeout setting to take effect? Do the time limits vary based on user? Thanks all! Adam Richard '05 IT Security Analyst/Operations Specialist Messiah College Hoffman 211 (717) 796-1800 x.6570 One College Ave. Information Technology Services Box 3055 Grantham, PA 17027 "ITS will never ask you for your password" --_000_BF662A4EE06D844081EA3B2DB8CCF22B0AD16ACAE4SSUMPEXCLUS01_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html><head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <meta name=3D"Generator" content=3D"Microsoft Exchange Server"> <!-- converted from text --> <style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left:= #800000 2px solid; } --></style></head> <body> <body style=3D"font-family:Arial,Helvetica,sans-serif; font-size:small; col= or:black"><span style=3D"font-family:Arial,Helvetica,sans-serif; font-size:= small; color:black">We use 15 as the default, but some areas are set to as = little as 5 (health center, bursar, ect )<br><br>And controlled at the doma= in level so the user cannot disabled.<br><br>Good luck<br><br></span><br><b= r>-----Original Message----- <br><b>From:</b> Radford, Jennifer [jradford@I= NTAUDIT.UBC.CA]<br><b>Received:</b> 8/27/10 4:47 PM<br><b>To:</b> SECURITY@= LISTSERV.EDUCAUSE.EDU [SECURITY () LISTSERV EDUCAUSE EDU]<br><b>Subject:</b> R= e: [SECURITY] Lockout Settings<br><br></body> <font size=3D"2"><div class=3D"PlainText">Hi Todd,<br> <br>
From an internal audit perspective, screen lockouts should be risk based. O=
bviously they are more important depending on the type of data that is invo= lved and that could potential by viewed / altered by unauthorised parties. = Sounds like you are dealing with sensitive data but if any of this is regul= ated data, e.g personally identifiable data, then this may raise the risk e= ven higher.<br> <br> Also, consideration should be given to what type of environment is in place= , e.g. open plan versus closed locked offices. <br> <br> Lastly, users should be educated on the security risks of leaving open scre= ens unattended and policy should drive behaviour to get employees to 'cntl = alt delete' before they leave their desk.<br> <br> Once the above has been considered, management can make an informed decisio= n about whether to set at 10, 15, 20 etc minutes before screen lock out.<br=
<br> Cheers,<br> <br> Jen<br> <br> <br> <br> Jennifer Radford, Senior IT Audit Manager<br> Internal Audit, UBC<br> 6000 Iona Drive, Vancouver, BC Canada V6T 1L4<br> Phone: 604-822-6512<br> Fax: 604-822-9027<br> E-mail: Jradford () intaudit ubc ca<br> Web: <a href=3D"http://www.intaudit.ubc.ca">www.intaudit.ubc.ca</a><b= r> The information contained in this e-mail message is strictly confidential a= nd intended solely for the use of the designated addressee(s). Any unauthor= ized viewing, disclosure, copying or distribution of this e-mail is prohibi= ted and may be unlawful. If you have received this e-mail in error, please = do not read it, reply to the sender immediately to inform us that you are n= ot the intended recipient, and delete the e-mail from your computer system.= Thank you.<br> <br> -----Original Message-----<br> From: The EDUCAUSE Security Constituent Group Listserv [<a href=3D"mailto:S= ECURITY () LISTSERV EDUCAUSE EDU">mailto:SECURITY () LISTSERV EDUCAUSE EDU</a>] O= n Behalf Of Plesco, Todd<br> Sent: Friday, August 27, 2010 1:22 PM<br> To: SECURITY () LISTSERV EDUCAUSE EDU<br> Subject: [SECURITY] Lockout Settings<br> <br> I'd like to get everyone's feedback on their current enterprise settings fo= r screen lockout. This discussion has re emerged for us as we roll ou= t Sharepoint with Windows Authentication (rather than through an ISA server= ) which will provide portals (without a second login/password requirement) = into some applications which maintain sensitive data. Is everyone usi= ng a 15 minute screen lockout? Do you have Sharepoint? Browser timeou= t?<br> <br> Todd A. Plesco CISM, CBCP<br> Chapman University, Director of Information Security<br> One University Drive, Orange, CA 92866<br> Phone: (714) 744-7979/Fax: (714) 744-7041<br> <br> <br> -----Original Message-----<br> From: The EDUCAUSE Security Constituent Group Listserv [<a href=3D"mailto:S= ECURITY () LISTSERV EDUCAUSE EDU">mailto:SECURITY () LISTSERV EDUCAUSE EDU</a>] O= n Behalf Of Barros, Jacob<br> Sent: Thursday, June 11, 2009 12:00 PM<br> To: SECURITY () LISTSERV EDUCAUSE EDU<br> Subject: Re: [SECURITY] Timeout/Lockout Settings<br> <br> 15 minutes for us as well. There are a few exceptions like an OU for<= br> admissions counselors. Lock it when you leave it is ideal. <br> <br> Jacob Barros<br> Network Administrator<br> Grace College<br> <br> <br> -----Original Message-----<br> From: The EDUCAUSE Security Constituent Group Listserv<br> [<a href=3D"mailto:SECURITY () LISTSERV EDUCAUSE EDU">mailto:SECURITY@LISTSERV= .EDUCAUSE.EDU</a>] On Behalf Of Adam Richard<br> Sent: Wednesday, June 10, 2009 10:35 AM<br> To: SECURITY () LISTSERV EDUCAUSE EDU<br> Subject: [SECURITY] Timeout/Lockout Settings<br> <br> I am curious to know how other peer institutions are setting up their<br> timeout/lockout settings. <br> <br> How are you enforcing the timeouts (pointsec, windows settings,<br> screensaver,etc)?<br> <br> How long must the PC be inactive for the timeout setting to take effect?<br=
Do<br> the time limits vary based on user?<br> <br> Thanks all!<br> <br> Adam Richard '05<br> IT Security Analyst/Operations Specialist<br> <br> Messiah College<br> Hoffman 211<br> (717) 796-1800 x.6570<br> <br> One College Ave.<br> Information Technology Services<br> Box 3055<br> Grantham, PA 17027<br> <br> "ITS will never ask you for your password"<br> </div></font> </body> </html> --_000_BF662A4EE06D844081EA3B2DB8CCF22B0AD16ACAE4SSUMPEXCLUS01_-- ------------------------------ Date: Fri, 27 Aug 2010 15:53:32 -0500 From: "Doty, Timothy T." <tdoty () MST EDU> Subject: Re: Lockout Settings This is a multipart message in MIME format. ------=_NextPart_000_02C0_01CB45FF.E79D16C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I would just like to point out that "Windows Key-L" is faster and more reliable than the ctrl-alt-del method. I've had windows be sluggish about pulling up the dialog, and iffy for catching the return key stroke -- all of which is significant if the employee is in a hurry to leave. Tim Doty
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Radford, Jennifer Sent: Friday, August 27, 2010 3:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Lockout Settings =20 Hi Todd, =20 From an internal audit perspective, screen lockouts should be risk based. Obviously they are more important depending on the type of data that is involved and that could potential by viewed / altered by unauthorised parties. Sounds like you are dealing with sensitive data but if any of this is regulated data, e.g personally identifiable =
data,
then this may raise the risk even higher. =20 Also, consideration should be given to what type of environment is in place, e.g. open plan versus closed locked offices. =20 Lastly, users should be educated on the security risks of leaving open screens unattended and policy should drive behaviour to get employees to 'cntl alt delete' before they leave their desk. =20 Once the above has been considered, management can make an informed decision about whether to set at 10, 15, 20 etc minutes before screen lock out. =20 Cheers, =20 Jen =20 =20 =20 Jennifer Radford, Senior IT Audit Manager Internal Audit, UBC 6000 Iona Drive, Vancouver, BC Canada V6T 1L4 Phone: 604-822-6512 Fax: 604-822-9027 E-mail: Jradford () intaudit ubc ca Web: www.intaudit.ubc.ca The information contained in this e-mail message is strictly confidential and intended solely for the use of the designated addressee(s). Any unauthorized viewing, disclosure, copying or distribution of this e-mail is prohibited and may be unlawful. If you have received this e-mail in error, please do not read it, reply to =
the
sender immediately to inform us that you are not the intended recipient, and delete the e-mail from your computer system. Thank you. =20 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Plesco, Todd Sent: Friday, August 27, 2010 1:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Lockout Settings =20 I'd like to get everyone's feedback on their current enterprise settings for screen lockout. This discussion has re emerged for us as we roll out Sharepoint with Windows Authentication (rather than =
through
an ISA server) which will provide portals (without a second login/password requirement) into some applications which maintain sensitive data. Is everyone using a 15 minute screen lockout? Do you have Sharepoint? Browser timeout? =20 Todd A. Plesco=A0 CISM, CBCP Chapman University, Director of Information Security One University Drive, Orange, CA 92866 Phone: (714) 744-7979/Fax: (714) 744-7041 =20 =20 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob Sent: Thursday, June 11, 2009 12:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Timeout/Lockout Settings =20 15 minutes for us as well. There are a few exceptions like an OU for admissions counselors. Lock it when you leave it is ideal. =20 Jacob Barros Network Administrator Grace College =20 =20 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Richard Sent: Wednesday, June 10, 2009 10:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Timeout/Lockout Settings =20 I am curious to know how other peer institutions are setting up their timeout/lockout settings. =20 How are you enforcing the timeouts (pointsec, windows settings, screensaver,etc)? =20 How long must the PC be inactive for the timeout setting to take effect? Do the time limits vary based on user? =20 Thanks all! =20 Adam Richard '05 IT Security Analyst/Operations Specialist =20 Messiah College Hoffman 211 (717) 796-1800 x.6570 =20 One College Ave. Information Technology Services Box 3055 Grantham, PA 17027 =20 "ITS will never ask you for your password"
------=_NextPart_000_02C0_01CB45FF.E79D16C0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIWXTCCBakw ggUSoAMCAQICCibDMwUAAAAAN/gwDQYJKoZIhvcNAQEFBQAwcDETMBEGCgmSJomT8ixkARkWA2Vk dTETMBEGCgmSJomT8ixkARkWA21zdDFEMEIGA1UEAxM7TWlzc291cmkgVW5pdmVyc2l0eSBvZiBT Y2llbmNlIGFuZCBUZWNobm9sb2d5IEVudGVycHJpc2UgQ0EwHhcNMTAwNzIwMTMyNjQ3WhcNMTEw NzIwMTMyNjQ3WjCBjjETMBEGCgmSJomT8ixkARkWA2VkdTETMBEGCgmSJomT8ixkARkWA21zdDER MA8GA1UECxMIQWNjb3VudHMxFjAUBgNVBAsTDVN0YWZmLUZhY3VsdHkxGTAXBgNVBAMTEERvdHks IFRpbW90aHkgVC4xHDAaBgkqhkiG9w0BCQEWDXRkb3R5QG1zdC5lZHUwgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBAK/VGBrpG9F0IDPaZxgXR6NiI+IhBYvglScDUK37o7L0LayFRW7bKYqrtVme 6kAWhs62056fpPlhnQ0kAfGUxr5/Xvm4cFoos/vRwurnDw1WueBvCaeG3Az3yd90nXHumOZ9FaXV EnnVbPFWBFfp5mZuWQEL/3FEUDVw4qPE6Bh5AgMBAAGjggMpMIIDJTAdBgNVHQ4EFgQUQ39080Ji 8/9FJGozj8MMg4hEV/QwHwYDVR0jBBgwFoAUuiX3GekZ1b9PekOmmk3on4TEzTgwewYDVR0fBHQw cjBwoG6gbIZqaHR0cDovL2NhLm1zdC5lZHUvQ2VydEVucm9sbC9NaXNzb3VyaSUyMFVuaXZlcnNp dHklMjBvZiUyMFNjaWVuY2UlMjBhbmQlMjBUZWNobm9sb2d5JTIwRW50ZXJwcmlzZSUyMENBLmNy bDCCAYYGCCsGAQUFBwEBBIIBeDCCAXQwge0GCCsGAQUFBzAChoHgbGRhcDovLy9DTj1NaXNzb3Vy aSUyMFVuaXZlcnNpdHklMjBvZiUyMFNjaWVuY2UlMjBhbmQlMjBUZWNobm9sb2d5JTIwRW50ZXIt Mjc5NjcsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv bmZpZ3VyYXRpb24sREM9dW1hZCxEQz11bXN5c3RlbSxEQz1lZHU/Y0FDZXJ0aWZpY2F0ZT9iYXNl P29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwgYEGCCsGAQUFBzAChnVodHRwOi8v Y2EubXN0LmVkdS9DZXJ0RW5yb2xsL2NhLm1zdC5lZHVfTWlzc291cmklMjBVbml2ZXJzaXR5JTIw b2YlMjBTY2llbmNlJTIwYW5kJTIwVGVjaG5vbG9neSUyMEVudGVycHJpc2UlMjBDQS5jcnQwFwYJ KwYBBAGCNxQCBAoeCABVAHMAZQByMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgWgMCkGA1UdJQQi MCAGCisGAQQBgjcKAwQGCCsGAQUFBwMEBggrBgEFBQcDAjA3BgNVHREEMDAuoB0GCisGAQQBgjcU AgOgDwwNdGRvdHlAbXN0LmVkdYENdGRvdHlAbXN0LmVkdTBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqG SIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwDQYJKoZIhvcN AQEFBQADgYEAKXZfKXa2rEHqY68pUYMatkkDG9sTkd1ZH6a/6lvmQ2EjJy799ZxEE9sqtJG/kV7y 915Gf6kW5PliOwiHibWQ/8Lfvpm65MK0S2Pc6/zpvQ43n01WphjY45pn1qXX+kjD80sW3/nqmW0R 9Yrl4yFEev6NqHhioA9PRHxv+nNYP54wggcnMIIFD6ADAgECAhAqJo03DA4ihEPnGCSLFa2+MA0G CSqGSIb3DQEBBAUAMIHFMR4wHAYJKoZIhvcNAQkBFg9jYUB1bXN5c3RlbS5lZHUxCzAJBgNVBAYT AlVTMREwDwYDVQQIEwhNaXNzb3VyaTERMA8GA1UEBxMIQ29sdW1iaWExHzAdBgNVBAoTFlVuaXZl cnNpdHkgb2YgTWlzc291cmkxHzAdBgNVBAsTFkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxLjAsBgNV BAMTJVVuaXZlcnNpdHkgb2YgTWlzc291cmkgUm9vdCBBdXRob3JpdHkwHhcNMDEwMTA4MTQ0NTM3 WhcNMjQxMjMxMTQ0NTM3WjCBxTEeMBwGCSqGSIb3DQEJARYPY2FAdW1zeXN0ZW0uZWR1MQswCQYD VQQGEwJVUzERMA8GA1UECBMITWlzc291cmkxETAPBgNVBAcTCENvbHVtYmlhMR8wHQYDVQQKExZV bml2ZXJzaXR5IG9mIE1pc3NvdXJpMR8wHQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MS4w LAYDVQQDEyVVbml2ZXJzaXR5IG9mIE1pc3NvdXJpIFJvb3QgQXV0aG9yaXR5MIICIjANBgkqhkiG 9w0BAQEFAAOCAg8AMIICCgKCAgEAzBvYya8N/FVIPNkoecxC07okgfeMIB7gr4rTicg+ZlAmHodU uCBbXLqElNV+MVqRMdxAus0Vd7IU67qEOzHa070GihlO/EG+1u5xSdktQQWlgxAWI7r2AKiIHmbm xMuD487wVCDZalLUyrQhkTLTZIZgEIvBL+sbZ+Dh6mPCYR67tJ3V/IJVyc6FzDWVu+5kF8PuyG8W jX2FZsT9AvzHxw2tlWJsTBPS5dSLfnLB5fvjbvGt5FKYDRmqKHJFcgu8xkzvFUFbbdljJgepgV0a qhmzRgZZ5rW+8R/sDJqT5Ve2X2bTsaRbrAHmMzpCt+ZdvMGpoQBOMEUqBG74QZTZLmujL20ZIOrE WnWktY6btoMECU/EYmEJQEJ3jw6Ng/92fX6D+djqeRSrJ+OZNmaXx1UN/cUskKGfGq4yH8b1cea+ FRCMtWo97yd5d+hux6yvL7Q3UFQTxvSp81PJ0UqgVQ4D2tdz8z2WH5H+P3xBsG4+W8yl8aY2Qw/W aaDI9FIB9mlmI+JUe/p9BUBSix4HzOS1lEUpPyMgc133KjLdyIRU79BrOmFQK23UNo8eTU4gdZW+ e1Ue+8/I4VqKRkglMob2WLBD+lHN2Fvx9oZG9aXldub1j9UB1f5qQCJdq+jyv1tBhZmE7UKcgn9W jHzRAFRu9UC3y1sAy9UjOAxYoukCAwEAAaOCAQ8wggELMAsGA1UdDwQEAwIBxjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBTA7vQakS5W9INZVV54GT7+GBNFwzCBuQYDVR0fBIGxMIGuMFSgUqBQ hk5odHRwOi8vdW0tcm9vdC1jYS9DZXJ0RW5yb2xsL1VuaXZlcnNpdHklMjBvZiUyME1pc3NvdXJp JTIwUm9vdCUyMEF1dGhvcml0eS5jcmwwVqBUoFKGUGZpbGU6Ly9cXFVNLVJPT1QtQ0FcQ2VydEVu cm9sbFxVbml2ZXJzaXR5JTIwb2YlMjBNaXNzb3VyaSUyMFJvb3QlMjBBdXRob3JpdHkuY3JsMBAG CSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBAUAA4ICAQC3XyqXRvwF5STq9vPJ+aqGHy6IGj9T 4hx39kow+H89kU7au2WmhKT0jhPoDwjE0u5O2nU016NTkmGKSwp+mNpNjYvs9+49VUGJ4EuY5IbS jAX5qRvu/mguxaYbJKrcC8wl84KcK6QkBd+gHpAjPfASW9Unq8Wae/c8/uYKpWGxg83gVNc0RwBT hMWAFRLEbFEnwiwo3MB1MXi5pjbpqxAEJ2pHWma+JjuBrrBqzXgroqLX3M5a/4ZzVxbDJolE+7jS UMT6wfCLfsr8azez5JpaNEMRf1qB5h7cnNAaOvxfOk1lkHJT5qbqGCjKXQP27p96J+RhYDiNs6Nt fBDKfLT7bs8hWR4In2ABKk58+uoyPBfxZ4zEx/UZfkR0iit7bVF3qNIuvwJQImfKrmy/RaCionv9 JTy/TnaRQlC+j+W1aLTS6r8qQygZrbK50OJF5o5QA9UnUMng6qfv13PfM32zstykcA2qNbZZ7ajH Geb90Iikdn66eMg8OUOh+ulGPFSTN01G/W2EkO+vP2E4SRhvHJElGMasmpWPXFRNXIDVWLC0R7kJ +fjRTCehvtypClensQjipMHUtL1JNdNGHOBE8RZz/URF4s82zOUWPfCQAYU3V1Am8qlCocjDOMeh 23WXkZfajstzbySx9aVafttdv/SyagvfUrxZUwfuZWHodjCCCYEwggdpoAMCAQICCnIM6fEAAAAA AB0wDQYJKoZIhvcNAQEEBQAwgcUxHjAcBgkqhkiG9w0BCQEWD2NhQHVtc3lzdGVtLmVkdTELMAkG A1UEBhMCVVMxETAPBgNVBAgTCE1pc3NvdXJpMREwDwYDVQQHEwhDb2x1bWJpYTEfMB0GA1UEChMW VW5pdmVyc2l0eSBvZiBNaXNzb3VyaTEfMB0GA1UECxMWSW5mb3JtYXRpb24gVGVjaG5vbG9neTEu MCwGA1UEAxMlVW5pdmVyc2l0eSBvZiBNaXNzb3VyaSBSb290IEF1dGhvcml0eTAeFw0wNzEyMTgx NDEyMjlaFw0xNzEyMTgxNDIyMjlaMHAxEzARBgoJkiaJk/IsZAEZFgNlZHUxEzARBgoJkiaJk/Is ZAEZFgNtc3QxRDBCBgNVBAMTO01pc3NvdXJpIFVuaXZlcnNpdHkgb2YgU2NpZW5jZSBhbmQgVGVj aG5vbG9neSBFbnRlcnByaXNlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBvYxu8YLs b2tA0Ki9PY1KIaNRZJiXYPJow4RLC+XOoxULG87Bsy20YfQuzUMwWJGK5ikoULdF/TyHf7vYKoOf 7uLF9IYBNoY8bYbMCYChRKySZT7CjG8mzNSe8KE90ZxjCa7U0N817uWKz1jYjfLtuhygr0aX/Kpf pfxa+bAdjwIDAQABo4IFSTCCBUUwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUuiX3GekZ1b9P ekOmmk3on4TEzTgwCwYDVR0PBAQDAgGGMBAGCSsGAQQBgjcVAQQDAgEAMBkGCSsGAQQBgjcUAgQM HgoAUwB1AGIAQwBBMB8GA1UdIwQYMBaAFMDu9BqRLlb0g1lVXngZPv4YE0XDMIICXAYDVR0fBIIC UzCCAk8wggJLoIICR6CCAkOGgeBsZGFwOi8vL0NOPVVuaXZlcnNpdHklMjBvZiUyME1pc3NvdXJp JTIwUm9vdCUyMEF1dGhvcml0eSxDTj1VTS1ST09ULUNBLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXVtYWQsREM9dW1zeXN0 ZW0sREM9ZWR1P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxE aXN0cmlidXRpb25Qb2ludIaB/GxkYXA6Ly8vdW1hZC1kYzAxLnVtYWQudW1zeXN0ZW0uZWR1L0NO PVVuaXZlcnNpdHklMjBvZiUyME1pc3NvdXJpJTIwUm9vdCUyMEF1dGhvcml0eSxDTj1VTS1ST09U LUNBLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m aWd1cmF0aW9uLERDPXVtYWQsREM9dW1zeXN0ZW0sREM9ZWR1P2NlcnRpZmljYXRlUmV2b2NhdGlv bkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIZfaHR0cDovL3VtYWQt ZGMwMS51bWFkLnVtc3lzdGVtLmVkdS9DZXJ0RW5yb2xsL1VuaXZlcnNpdHklMjBvZiUyME1pc3Nv dXJpJTIwUm9vdCUyMEF1dGhvcml0eS5jcmwwggJWBggrBgEFBQcBAQSCAkgwggJEMIHVBggrBgEF BQcwAoaByGxkYXA6Ly8vQ049VW5pdmVyc2l0eSUyMG9mJTIwTWlzc291cmklMjBSb290JTIwQXV0 aG9yaXR5LENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D b25maWd1cmF0aW9uLERDPXVtYWQsREM9dW1zeXN0ZW0sREM9ZWR1P2NBQ2VydGlmaWNhdGU/YmFz ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MIHxBggrBgEFBQcwAoaB5GxkYXA6 Ly8vdW1hZC1kYzAxLnVtYWQudW1zeXN0ZW0uZWR1L0NOPVVuaXZlcnNpdHklMjBvZiUyME1pc3Nv dXJpJTIwUm9vdCUyMEF1dGhvcml0eSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz11bWFkLERDPXVtc3lzdGVtLERDPWVkdT9j QUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTB2Bggr BgEFBQcwAoZqaHR0cDovL3VtYWQtZGMwMS51bWFkLnVtc3lzdGVtLmVkdS9DZXJ0RW5yb2xsL3Vt LXJvb3QtY2FfVW5pdmVyc2l0eSUyMG9mJTIwTWlzc291cmklMjBSb290JTIwQXV0aG9yaXR5LmNy dDANBgkqhkiG9w0BAQQFAAOCAgEAutVV5zAU9bA4KJL5fO5w48BMsHUh7FOJUZuWHb0EsEQu8nZ5 VGZ4Oq2EHkm3dxcSZAo7DFIpwrUDQG/gSYSma19Er9lOHjles2SdzXqUvN5XFMuvJN7dvw0tI5qK 04r+tosN2xCFrTesOcugjzzl/ESdBxdN8BffX28vpysrWZzKbjASua8/Z/N+W43YxenSqgQdkviy br13GkeS/7bRMUDfWxjTz8dBIr7LNRF4Yz2aBEoA3YM7Q85mw1vAVXxHe3G/0jX6MYYzk6fHzbKi JObs+5Qe96JcrMJ1MtyGG++Og93jDZ9o4MGudeGIs0U9tplHJwYLmoU5o/foc6IOYKLvRJCDBHN1 iqZNBIfMJz7PjyahsJgUZ7SwtiOsgwzoy2R5ww88ZQeJS4yKqNDcrAuzpEhyczGyH0EbSesXCY3J isTH7i5QhAGUYmTp30tIj8eGTyxQHkBEkhGr39si5r+boqW/4b0s9+zFBjnY61CDwccy1i290pTw mMVohW0mTxtsuHLFxjtpMt77GpSnanE3+lpxFYVajjvqyK1NxFG2rNc7PaLzTD71Vb8lXOVdqUg6 kQZAdH5Ltx+idITz+ersaQ7k/cRcqX1PmpeeyygAouZj8paM2ttWnQPBiVfueUnsxC4UhZX328Fd 2yidSFbXmxLi6rs94lDI+IDzbtUxggMSMIIDDgIBATB+MHAxEzARBgoJkiaJk/IsZAEZFgNlZHUx EzARBgoJkiaJk/IsZAEZFgNtc3QxRDBCBgNVBAMTO01pc3NvdXJpIFVuaXZlcnNpdHkgb2YgU2Np ZW5jZSBhbmQgVGVjaG5vbG9neSBFbnRlcnByaXNlIENBAgomwzMFAAAAADf4MAkGBSsOAwIaBQCg ggHqMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEwMDgyNzIwNTI1 MVowIwYJKoZIhvcNAQkEMRYEFE565ucVDapZcYfIy4jy91n8RM13MGcGCSqGSIb3DQEJDzFaMFgw CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqG SIb3DQMCAgEoMAcGBSsOAwIaMAoGCCqGSIb3DQIFMIGOBgkrBgEEAYI3EAQxgYAwfjBwMRMwEQYK CZImiZPyLGQBGRYDZWR1MRMwEQYKCZImiZPyLGQBGRYDbXN0MUQwQgYDVQQDEztNaXNzb3VyaSBV bml2ZXJzaXR5IG9mIFNjaWVuY2UgYW5kIFRlY2hub2xvZ3kgRW50ZXJwcmlzZSBDQQIKJsMzBQAA AAA3+DCBkAYLKoZIhvcNAQkQAgsxgYCgfjBwMRMwEQYKCZImiZPyLGQBGRYDZWR1MRMwEQYKCZIm iZPyLGQBGRYDbXN0MUQwQgYDVQQDEztNaXNzb3VyaSBVbml2ZXJzaXR5IG9mIFNjaWVuY2UgYW5k IFRlY2hub2xvZ3kgRW50ZXJwcmlzZSBDQQIKJsMzBQAAAAA3+DANBgkqhkiG9w0BAQEFAASBgKbd q4icKuL6R9IzycEMlU1gm6/kJeezd1wJyRpn54jdPY0Ho3TuNt6cr6WF6Xl2Q0qHy7VA1tjx4xNV GmPz2XxYoszvIuJYeHPePe9eIAM59yqorZuHGDztGGQsxUtVZNgCqeb/sUQr3tERhcO9zrqCynWv kZ+bUioB53Yax/jpAAAAAAAA ------=_NextPart_000_02C0_01CB45FF.E79D16C0-- ------------------------------ Date: Fri, 27 Aug 2010 16:59:42 -0500 From: "McCrary, Barbara" <bmccrary () OGSLP ORG> Subject: Re: Lockout Settings AGREED=20 Barbara McCrary=20 Chief Information Security Officer MCSE, MCSE:Security, +Messaging, CompTia:Security+ bmccrary () ogslp org Oklahoma State Regents for Higher Education 421 NW 13th, Ste 250=20 Oklahoma City, OK 73103=20 405 234.4316 office=20 405 234.4321 cell=20 405 234.4588 fax Note: This communication and attachments, if any, are intended solely = for the use of the addressee hereof. In addition, this information and = attachments, if any, may contain information that is confidential, = privileged and exempt from disclosure under applicable law, including, = but not limited to, the Privacy Act of 1974. If you are not the = intended recipient of this information, you are prohibited from reading, = disclosing, reproducing, distributing, disseminating, or otherwise using = this information. If you have received this message in error, please = promptly notify the sender and immediately, delete this communication = from your system. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv = [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Doty, Timothy T. Sent: Friday, August 27, 2010 3:54 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Lockout Settings I would just like to point out that "Windows Key-L" is faster and more = reliable than the ctrl-alt-del method. I've had windows be sluggish about pulling up the dialog, and iffy for = catching the return key stroke -- all of which is significant if the = employee is in a hurry to leave. Tim Doty
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv=20 [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Radford, Jennifer Sent: Friday, August 27, 2010 3:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Lockout Settings =20 Hi Todd, =20 From an internal audit perspective, screen lockouts should be risk=20 based. Obviously they are more important depending on the type of data =
that is involved and that could potential by viewed / altered by=20 unauthorised parties. Sounds like you are dealing with sensitive data=20 but if any of this is regulated data, e.g personally identifiable=20 data, then this may raise the risk even higher. =20 Also, consideration should be given to what type of environment is in=20 place, e.g. open plan versus closed locked offices. =20 Lastly, users should be educated on the security risks of leaving open =
screens unattended and policy should drive behaviour to get employees=20 to 'cntl alt delete' before they leave their desk. =20 Once the above has been considered, management can make an informed=20 decision about whether to set at 10, 15, 20 etc minutes before screen=20 lock out. =20 Cheers, =20 Jen =20 =20 =20 Jennifer Radford, Senior IT Audit Manager Internal Audit, UBC 6000=20 Iona Drive, Vancouver, BC Canada V6T 1L4 Phone: 604-822-6512 Fax: 604-822-9027 E-mail: Jradford () intaudit ubc ca Web: www.intaudit.ubc.ca The information contained in this e-mail message is strictly=20 confidential and intended solely for the use of the designated=20 addressee(s). Any unauthorized viewing, disclosure, copying or=20 distribution of this e-mail is prohibited and may be unlawful. If you=20 have received this e-mail in error, please do not read it, reply to=20 the sender immediately to inform us that you are not the intended=20 recipient, and delete the e-mail from your computer system. Thank you. =20 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv=20 [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Plesco, Todd Sent: Friday, August 27, 2010 1:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Lockout Settings =20 I'd like to get everyone's feedback on their current enterprise=20 settings for screen lockout. This discussion has re emerged for us as =
we roll out Sharepoint with Windows Authentication (rather than=20 through an ISA server) which will provide portals (without a second=20 login/password requirement) into some applications which maintain=20 sensitive data. Is everyone using a 15 minute screen lockout? Do you =
have Sharepoint? Browser timeout? =20 Todd A. Plesco=A0 CISM, CBCP Chapman University, Director of Information Security One University=20 Drive, Orange, CA 92866 Phone: (714) 744-7979/Fax: (714) 744-7041 =20 =20 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv=20 [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob Sent: Thursday, June 11, 2009 12:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Timeout/Lockout Settings =20 15 minutes for us as well. There are a few exceptions like an OU for=20 admissions counselors. Lock it when you leave it is ideal. =20 Jacob Barros Network Administrator Grace College =20 =20 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv=20 [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Richard Sent: Wednesday, June 10, 2009 10:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Timeout/Lockout Settings =20 I am curious to know how other peer institutions are setting up their=20 timeout/lockout settings. =20 How are you enforcing the timeouts (pointsec, windows settings,=20 screensaver,etc)? =20 How long must the PC be inactive for the timeout setting to take=20 effect? Do the time limits vary based on user? =20 Thanks all! =20 Adam Richard '05 IT Security Analyst/Operations Specialist =20 Messiah College Hoffman 211 (717) 796-1800 x.6570 =20 One College Ave. Information Technology Services Box 3055 Grantham, PA 17027 =20 "ITS will never ask you for your password"
------------------------------ End of SECURITY Digest - 26 Aug 2010 to 27 Aug 2010 (#2010-182) ***************************************************************
Current thread:
- Re: SECURITY Digest - 26 Aug 2010 to 27 Aug 2010 (#2010-182) Erwin Carrow (Aug 30)