Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Management Policy & Standards

From: Kevin Reedy <KReedy () EXCELSIOR EDU>
Date: Fri, 26 Feb 2016 12:02:23 -0500
All remote access with the exception of email requires two factor, as well
as some of our critical IT infrastructure (DNS is one example).  I would
like to expand that, but will probably want to go with a different solution
than RSA keyfobs, as the management of fobs is enough of a headache as it
is.

-Kevin



From:   Dan Sarazen <dsarazen () BRANDEIS EDU>
To:     SECURITY () LISTSERV EDUCAUSE EDU,
Date:   02/26/2016 11:55 AM
Subject:        Re: [SECURITY] Password Management Policy & Standards
Sent by:        The EDUCAUSE Security Constituent Group Listserv
            <SECURITY () LISTSERV EDUCAUSE EDU>



Not to come from left field, but do your long-term plans include the
deployment of two-factor? At least for privileged accounts
(Server/network/firewall Admins, some financial accounts where the users
can override the general ledger, or where known but unavoidable segregation
of duties issues exist? etc).

Thanks,

Dan

On Fri, Feb 26, 2016 at 11:31 AM, Frank Barton <bartonf () husson edu> wrote:
  I will chime in, and say that we have seen cases of compromised email
  passwords not being used for an extended period of time, and then
  suddenly being used again (this is based on our reading of login logs)

  We use a similar 90-day for Faculty & Staff, but not for students policy.

  Frank

  On Fri, Feb 26, 2016 at 10:52 AM, Kevin Reedy <KReedy () excelsior edu>
  wrote:
   We currently are at 90 day expiration for staff and faculty, based
   primarily upon PCI.  Now that we have gone card not present, SAQ-A I'm
   toying with the idea of bringing it out to 6 months and increasing the
   minimum length.

   Students do not have to change their passwords.  Occasionally we find a
   student credential in a pony dump and we simply lock the account,
   without
   even checking the password.  This seems to be pretty standard for all
   non
   financial internet sites, Google may encourage me to change my password
   from time to time, but they don't require it unless they have a
   confirmed
   breach.  Same with Amazon, Ebay, the list goes on.  From an
   institutional
   risk standpoint a compromised student account doesn't give them much
   even
   on the individual student.

   I also agree with what has been stated, forced password rotation has
   been
   considered a best practice for a long time, but provides minimal added
   security.

   -Kevin

   Kevin Reedy
   Executive Director, Information Security
   Excelsior College
   (518) 464-8720



   From:   Carlos Lobato <clobato () NMSU EDU>
   To:     SECURITY () LISTSERV EDUCAUSE EDU,
   Date:   02/26/2016 10:34 AM
   Subject:        [SECURITY] Password Management Policy & Standards
   Sent by:        The EDUCAUSE Security Constituent Group Listserv
               <SECURITY () LISTSERV EDUCAUSE EDU>



   All,

   I highly appreciate the discussion regarding this topic and would highly
   appreciate to hear from you more on the specifics of how are you
   addressing
   the frequency of changing passwords?

   Additionally, if you are changing your passwords, is this requirement
   applicable to all types of accounts including service accounts, highly
   privileged accounts, student accounts, ect.?

   If you are not changing your passwords at all, please let me know as
   well
   as including your reasoning.

   Carlos

   From: The EDUCAUSE Security Constituent Group Listserv [
   mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carlos Lobato
   Sent: Wednesday, February 24, 2016 5:19 PM
   To: SECURITY () LISTSERV EDUCAUSE EDU
   Subject: [SECURITY] Password Management Policy & Standards

   Hello Colleagues,

   I'm working on promoting institutional compliance with our current
   password
   policy, which requires regular password changes every 120 days for all
   accounts.

   However, I would like to know if some of you have created a table or
   matrix
   listing all of your type of accounts and if password expiration dates
   vary
   depending on the type of account, which would be based on risk.

   If you have a listing, I would highly appreciate a link or a copy to
   your
   document.  I am using various resources including the NIST SP 800-118
   and I
   can share with the group after I finish my analysis and potentially
   re-write our current NMSU password policy to make more realistic.

   Thank you so much for any input that you may have.

   Carlos,

   Carlos S. Lobato, CISA, CISSP, CPA
   IT Compliance Officer

   New Mexico State University
   Information and Communication Technologies
   MSC 3AT PO Box 30001
   Las Cruces, NM  88003

   Phone (575) 646-5902
   Fax (575) 646-5278


   This message and any attachments contain confidential Excelsior College
   information intended for the specific individual and purpose. If you are
   not the intended recipient, you should notify the College and delete
   this message. Any disclosure, copying, distribution or inappropriate use
   of this message is strictly prohibited.



  --
  Frank Barton
  ACMT
  IT Systems Administrator
  Husson University



This message and any attachments contain confidential Excelsior College information intended for the specific 
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.
Previous By Date Next
Previous By Thread Next

Current thread: