Educause Security Discussion mailing list archives
Re: Password security
From: David Pirolo <webmaster () WARNERPACIFIC EDU>
Date: Tue, 31 Jan 2012 17:12:27 -0800
Kevin, I agree with everyone else here that it would be "best practice". However, I've seen that our industry hasn't taken to security well due to cost concerns and fear of "the man". Times are changing though and we are starting to have to take it more seriously so it would be prudent to take action against this. Not sure if your CRM is any way tied to monetary transactions (since it's tied to admissions and enrollment), but it's practically a requirement if sensitive information is on, or can be associated with (same login passwords?), that system. If so, look at FERPA, FTC Red Flags rules, PCI and your local laws to determine what the requirements are. From what I've seen, the requirement set by the governing bodies really care more how you are mitigating risks and establishing compensating controls for systems that can't be fully hardened for whatever reason. It's also dependent on what your institution classifies as sensitive material. One could argue that you could be in for some steep fines or at least a credibility problem if any information was stolen and used elsewhere. How much is that worth to your institution and are they willing to take that risk? David Pirolo Warner Pacific College On Tue, 2012-01-31 at 23:00 +0000, Palmer, Kevin wrote:
Colleagues, I apologize in advance for the cross listing, but it was suggested that this list may have some interesting responses to this issue. I have a question regarding a very large third party CRM vendor. As expected, the vendor allows users (leads/applicants) to set up password-protected accounts to enter in general and sensitive information about themselves and eventually use this and additional information to submit an application to the institution. We (Tech staff) have recently learned that the user passwords are stored in clear text, and are available to the employees in admissions who work on the system. We have asked about encrypting the passwords, and the vendor has told our folks that no one else in higher education is encrypting passwords and that it would be difficult, leading our admissions/enrollment management folks to question whether or not this is a “best practice”. I think it is simply being prudent, and that there is no reason for anyone to know another persons’ authentication credentials. What are your thoughts? Is this over-the-top security? Best regards, Kev Kevin Palmer Chief Information Officer Columbia College 1001 Rogers Street Launer 9 Columbia, MO 65216 (573)875-7329 kpalmer () ccis edu www.ccis.edu Description: Description: Description: Description: Description: Description: Description: Description: CC_logo_4c_colorbuild_lg
Current thread:
- Password security Palmer, Kevin (Jan 31)
- Re: Password security Steven Alexander (Jan 31)
- Re: Password security Ryan D Hiebert (Jan 31)
- Re: Password security Basgen, Brian (Jan 31)
- Re: Password security Mclaughlin, Kevin (mclaugkl) (Jan 31)
- Re: Password security Bob Bregant II (Jan 31)
- Re: Password security Valdis Kletnieks (Jan 31)
- Re: Password security David Pirolo (Jan 31)
- Re: Password security Joel Rosenblatt (Jan 31)
- Re: Password security Robert Meyers (Feb 01)
- Re: Password security Sarazen, Daniel (Feb 01)
- Re: Password security Brian Helman (Feb 01)
- Re: Password security Bradner, Scott (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)
- Re: Password security Sarazen, Daniel (Feb 01)
- Re: Password security Steven Alexander (Jan 31)
- Re: Password security Roger A Safian (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)
- Re: Password security Roger A Safian (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)
- <Possible follow-ups>
- Re: Password security Joe St Sauver (Feb 01)