Educause Security Discussion mailing list archives
Re: Security Awareness Programs
From: Mike Cunningham <mike.cunningham () PCT EDU>
Date: Thu, 3 Apr 2014 14:42:03 +0000
So your saying that auditors to not care about student accounts and password change policies since students are external users (ie - not employees)? Or by external are you referring to someone who never logs on to a company owned computer at a company owned facility? Mike From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hall, Rand Sent: Thursday, April 03, 2014 9:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security Awareness Programs These example users are all external to the company involved. Most password change policies are driven by a little checkbox on a form used by whoever is auditing your company. Those auditors are only interested in internal users. Rand Rand P. Hall Director, Network Services askIT! Merrimack College 978-837-3532 rand.hall () merrimack edu<mailto:rand.hall () merrimack edu> If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. - Einstein On Wed, Apr 2, 2014 at 3:49 PM, Mike Cunningham <mike.cunningham () pct edu<mailto:mike.cunningham () pct edu>> wrote: I have a philosophical question for this group... My bank never requires me, their customer, to ever change my password My credit union never requires me, their customer, to ever change my password My health insurance company never requires me, their customer, to ever change my password My investment web site, my credit card bank, my online prescription site, my hotel rewards account, my airline rewards account, my daughters school district, never requires me to ever change my password Why does Higher Education make students, their customers, change their password? Would it be better to not require it and teach them why they should instead? Mike Cunningham VP of Information Technology Services/CIO Pennsylvania College of Technology -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Flynn, Gary - flynngn Sent: Wednesday, April 02, 2014 3:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Security Awareness Programs JMU policy requires password changes every 90 days. Our password change process includes having to click through captive web pages containing security awareness content. We do not track progress. People may click through without reading it. We know based on feedback that some do. OTOH we know based on feedback that some don't. It is all custom code and content. Content is based on role and whether it is the first time through. new applicants (one page on phishing and AUP) new/returning student new/returning employee/affiliate graduate (one page on phishing and AUP) Content for new folks is relatively constant. It hasn't changed much over the years. Content for returning folks changes about once a semester. We've been doing this for around ten years. People are sent an email message after the password change indicating the change and providing a link to provide feedback for the security awareness content. Feedback has been mixed. Sometimes, uh, colorful and often associated with the requirement to change passwords. Sometimes quite positive and/or constructive. Gary Flynn Security Engineer James Madison University Don't Be A PHISH! IsItReal? http://www.jmu.edu/computing/ittraining/SIGUCCS/story.html
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Peter Lundstedt Sent: Wednesday, April 02, 2014 3:33 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Security Awareness Programs Hi All, Curious on what others are doing to 'get the word out' on their campuses. What approaches seem to work best from both an initial push out on a new subject or with a new program, to keeping things up to date with acknowledgements, visibility, &c? From a product point of view, we've explored the SANS Securing the Human series among a few others, but the lack of customization and integration
into
HR training modules is steering us away. Experiences there? Peter Lundstedt SECURITY ANALYST 2, INFRASTRUCTURE & SECURITY SERVICES oit
Current thread:
- Re: Security Awareness Programs, (continued)
- Re: Security Awareness Programs Eric Weakland (Apr 02)
- Re: Security Awareness Programs Von Welch (Apr 02)
- Re: Security Awareness Programs Roger A Safian (Apr 02)
- Re: Security Awareness Programs Mike Osterman (Apr 02)
- Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
- Re: Security Awareness Programs Cal Frye (Apr 02)
- Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
- Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
- Re: Security Awareness Programs Mike Cunningham (Apr 02)
- Re: Security Awareness Programs Hall, Rand (Apr 03)
- Re: Security Awareness Programs Mike Cunningham (Apr 03)
- Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Ruth Ginzberg (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Isabelle Grey (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)