Re: Special needs students and passwords

[Nick Lewis <lewisnic () ACM ORG>]

Just to add another edge case, what about people with low literacy and/or 
difficulty with English that are forced to use your systems? For example, 
required to complete mandatory online training or online only HR related 
processes? (For HR, maybe there should still be paper form options.)

I think this is where we need to make sure authentication is separated from 
authorization. Maybe it would be ok to have potentially weaker 
authentication for some accounts, but they shouldn't be authorized to use 
certain higher security applications/systems. For the hopefully minority of 
users who couldn't accommodate more complex passwords, but need to use a 
higher security system, maybe an alternative solution could be used (as 
suggested by others)? Maybe providing easy access to account management to 
people assisting others with difficulties could also help? The recent PCI 
standard doesn't make allowances for disabilities, but if the person with 
the disability only accesses one card at a time as a cashier, they may not 
need an account (and password).

Nick

-----Original Message----- 
From: Paul Kendall
Sent: Wednesday, December 01, 2010 4:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Special needs students and passwords

An interesting conundrum. If you make the process easier, you introduce 
greater risk. Some standards (PCI DSS, for example) don't make allowances 
for disabilities, which can make it doubly difficult if this becomes an 
issue in that environment.

Biometric access (laptops, for example) may offer some type of solution, 
although not necessarily a universal one. In some cases, the student may 
have their own customized system, so ensuring it meets security requirements 
for network connectivity might be all that is needed, along with some way to 
authenticate to the network that preserves the integrity of the perimeter 
security requirements. However, this may not translate successfully into 
access for all internal applications.

At what point does one draw a distinction between 'reasonable access 
accommodations' and computing infrastructure security? I will be very 
curious to see where this thread leads.

Paul
========================================
Paul L. Kendall, Ph.D., CGEIT, CHS-III, CISM, CISSP, CSSLP
Certified HIPAA Professional
Certified HIPAA Security Specialist
PCI Qualified Security Assessor
Senior Consultant
Accudata Systems, Inc.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv 
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, Gary - flynngn
Sent: Wednesday, December 01, 2010 2:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Special needs students and passwords

Assuming password policies are the result of a risk assessment, changing
those policies would imply a change in what is deemed acceptable risk.

Account compromises put shared systems at additional risk directly by
raising the possibility of elevation of privilege attacks and other people
and services at risk by raising the possibility of unauthorized access to
adjacent services or spoofing identity.





-----Original Message-----
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
Date: Wed, 1 Dec 2010 12:54:13 -0600
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Special needs students and passwords

> I think this will quickly go beyond accessibility policy to needs for
> technical implementations.
>
> We've gotten a nibble or two on these items, and it looks like some of
> them may require special-case exceptions to password change complexity
> code, or alternate password-change applications, changes in LOA
> requirement logic in application access control, amongst other things.
>
> I'd purely love to hear real-world examples from anyone who's tried to
> make progress on the technical side of accommodations in re: access
> control and security systems.
>
>   -jml
>
> > > > Valdis Kletnieks <Valdis.Kletnieks () VT EDU> 2010-12-01 12:22 >>>
> On Wed, 01 Dec 2010 05:44:21 GMT, Stewart James said:
>
> > How are other institutes handling access for those students:
> >
> > *         Where reliably entering  passwords is an issue?
>
> Probably best addressed as part of an overall accessibility policy. If
> they
> can't enter passwords, they're probably going to have problems after they
> get
> past the password as we.. You also need to deal with visually handicapped
> users
> and so on - it may be you just need to bite the bullet and accept the
> fact that
> some users can't use the general-use computers in the lab, and have to
> access
> from (probably their own) systems that have specialized accessibility
> input/
> output devices/etc.
>
> > *         Short term memory retention may be an issue?
>
> See above.


--
Gary Flynn

Security Engineer
James Madison University