Re: Password security

[David Pirolo <webmaster () WARNERPACIFIC EDU>]

Kevin,
I agree with everyone else here that it would be "best practice".
However, I've seen that our industry hasn't taken to security well due
to cost concerns and fear of "the man".  Times are changing though and
we are starting to have to take it more seriously so it would be prudent
to take action against this.  

Not sure if your CRM is any way tied to monetary transactions (since
it's tied to admissions and enrollment), but it's practically a
requirement if sensitive information is on, or can be associated with
(same login passwords?), that system.  If so, look at FERPA, FTC Red
Flags rules, PCI and your local laws to determine what the requirements
are. 

From what I've seen, the requirement set by the governing bodies really
care more how you are mitigating risks and establishing compensating
controls for systems that can't be fully hardened for whatever reason.
It's also dependent on what your institution classifies as sensitive
material.  One could argue that you could be in for some steep fines or
at least a credibility problem if any information was stolen and used
elsewhere.  How much is that worth to your institution and are they
willing to take that risk?

David Pirolo
Warner Pacific College


On Tue, 2012-01-31 at 23:00 +0000, Palmer, Kevin wrote:
> Colleagues,
>
>   I apologize in advance for the cross listing, but it was suggested
> that this list may have some interesting responses to this issue.
>
>  
>
>   I have a question regarding a very large third party CRM vendor.  As
> expected, the vendor allows users (leads/applicants) to set up
> password-protected accounts to enter in general and sensitive
> information about themselves and eventually use this and additional
> information to submit an application to the institution.  We (Tech
> staff) have recently learned that the user passwords are stored in
> clear text, and are available to the employees in admissions who work
> on the system.
>
>  
>
>   We have asked about encrypting the passwords, and the vendor has
> told our folks that no one else in higher education is encrypting
> passwords and that it would be difficult, leading our
> admissions/enrollment management folks to question whether or not this
> is a “best practice”.  I think it is simply being prudent, and that
> there is no reason for anyone to know another persons’ authentication
> credentials.  What are your thoughts?  Is this over-the-top security?
>
>  
>
> Best regards,
>
> Kev
>
>   
>
> Kevin Palmer
>
> Chief Information Officer
>
> Columbia College
>
> 1001 Rogers Street
>
> Launer 9
>
> Columbia, MO 65216
>
> (573)875-7329
>
> kpalmer () ccis edu
>
> www.ccis.edu
>
>
>
> Description: Description: Description: Description: Description:
> Description: Description: Description: CC_logo_4c_colorbuild_lg
>
>