Re: MFA requirement for faculty

[Cam Beasley <cam () UTEXAS EDU>]

1 - yes for all central ID usage (for active faculty/staff/students) in all web services/applications — coming in 
Spring (partially rolled already)
2 - yes, 30-days
3 - yes, we use this option for those scenarios (http://eproxy.utexas.edu/)
4 - see 3

~cam.



--
Cam Beasley
Chief Information Security Officer
Information Security Office
The University of Texas at Austin
security () utexas edu | 512.475.9242
http://security.utexas.edu
=======================================




> On Sep 12, 2018, at 1:49 PM, Jackson, William <WJackson () FLAGLER EDU> wrote:
>
> 1.       No. Only staff and faculty accessing remote services must have Duo Security MFA. This is for the Remote 
> Desktop and VPN.
> 2.       No remembered devices allowed. The thought is that if the device is stolen the MFA protects the remote 
> assets.
> 3.       N/A
> 4.       N/A
>  
>
> William M. Jackson Jr.
> Director of Network and Desktop Support Services
>
> Flagler College
>  
> Office Line: 904.819.6310
> Mobile Line: 904.814-7877
> Email: wjackson () flagler edu
>
> Support Line: 904.819.6293
> Support Email: support () flagler edu
> Support Page: support.flagler.edu
>
> Follow us to stay updated on scheduled
> downtime, issues & solutions, and more:
> Website | Facebook | Twitter
>
> Questions or comments about our service? Fill out our brief survey and let us know!
>
> <image001.jpg>
>  
> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Hagan, Sean
> Sent: Wednesday, September 12, 2018 1:47 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] MFA requirement for faculty
>  
> 1.       Yes, it is required regardless of physical/network location.
> 2.       Yes, for a longer period than I would like, but it has dramatically reduced complaints during the 
> enrollment/familiarization process… J
> 3.       N/A – we do not currently require students to use MFA (we do however require student employees to use MFA).
> 4.       N/A
>  
> And to Harvard’s original question, we require use of MFA by faculty (including adjuncts) for all of our major 
> systems (ERP, LMS, Email, etc.)
>  
> Good luck with your implementations!
>  
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Sean Hagan
> Chief Information Security Officer
> Yavapai College
> (928) 717-7651 – direct
> https://www.yc.edu
>  
>  
>  
> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of McClenon, 
> Brady
> Sent: Wednesday, September 12, 2018 10:37 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] MFA requirement for faculty
>  
> For those that rolled out MFA:
>  
>       • Did you require it everywhere, or have exempt locations?  Like on your campus network, perhaps.
>       • Did you allow devices to be “remembered?”
>       • Was there any blowback from “helicopter parents” that were used to accessing their “child’s” account?
>       • If yes to #3, how did you deal with it?
>  
>  
>  
> Brady McClenon
> IT Security Administrator
> ITS – IT Security
> SUNY Oneonta
>  
> Information Security is Everyone’s Responsibility!  Learn more at http://staysafeonline.org/ncsam/
>  
>  
>  
>  
> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Manjak, Martin
> Sent: Wednesday, September 12, 2018 1:28 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] MFA requirement for faculty
>  
> As far as Azure AD MFA, and the lack of token support, our experience was similar to Chris’s. Out of nearly 16k 
> student enrollments, we had less than a dozen who requested exemption based on not have a device to receive the 
> second factor. We limited our rollout to students only.
>  
> Anyone whose account was compromised as a result of social engineering, regardless of their affiliation, is enrolled.
>  
> FAC/STAFF can request enrollment, but we haven’t mandated it yet.
>  
> BTW, here’s an article on 2-Step Login (our branding of MFA) that appeared in the last issue of our student press. [1]
>  
> Marty Manjak
> CISO
> University at Albany
>  
> [1] http://www.albanystudentpress.net/opinion-two-step-verification-long-overdue/
>  
> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Gregg, 
> Christopher S.
> Sent: Wednesday, September 12, 2018 10:47 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] MFA requirement for faculty
>  
> We require MFA for all users (faculty, staff, and students) for Office365, Banner and a couple of other applications. 
>  Adding MFA to other higher risk systems is in the works for this year.
>  
> We had executive support to include all users, and the rollout went smoother than I anticipated.  We’re using 
> Microsoft Azure AD MFA which doesn’t support hardware tokens (yet) so we did need to exempt a small population of 
> about 40 users who didn’t have a cell phone, and couldn’t use a desk phone as their 2nd factor.  I expected we might 
> get a run on people saying they didn’t have a cell phone if they thought it would get them out of MFA, but that 
> didn’t really happen.  Most of those 40 people were faculty though so you may want to factor that in to your planning.
>  
> Thanks,
>  
> Chris
>  
>  
> Chris Gregg
> Associate Vice President of Information Security & Risk Management, CISO
> Information Technology Services (ITS)
> csgregg () stthomas edu
> p 1 (651) 962-6265
> University of St. Thomas | stthomas.edu
>  
>  
>  
> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pitt, Sharon
> Sent: Wednesday, September 12, 2018 9:20 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Fw: MFA requirement for faculty
>  
> Sending to the security list for response.  Harvard, you may want to consider joining this constituent group list.  
> In the meantime, I ask that we copy Harvard on responses.  
>
>  
>
> As a quick response to Harvard, the University of Delaware requires MFA for all users (including faculty) on multiple 
> tools, to include anything associated with our ERP and email.  
>
>  
>
> Thanks all!
>
>  
>
> Sharon P. Pitt
> Vice President of Information Technologies
> University of Delaware
> 030 Smith Hall
> Newark, DE 19716
> (302) 831-0221
>  
> Co-Chair, Higher Education Information Security Council (HEISC)
>  
>  
> spitt () udel edu
> twitter@sppitt
>  
>  
>
> From: The EDUCAUSE CIO Constituent Group Listserv <CIO () LISTSERV EDUCAUSE EDU> on behalf of Harvard Townsend 
> <harvard.townsend () WHEATON EDU>
> Sent: Wednesday, September 12, 2018 10:01 AM
> To: CIO () LISTSERV EDUCAUSE EDU
> Subject: [CIO] MFA requirement for faculty
>  
> Good morning,
> We need some help selling multi-factor authentication to our faculty. Quick question - how many of you require MFA 
> for faculty? We currently require it for staff and are now moving forward with faculty. Replies to the mailing list 
> or directly to me are greatly appreciated. 
> Regards,
> --
> Harvard Townsend
> Director of Infrastructure & Security
> Academic & Institutional Technology
> Wheaton College, IL
> Office: (630)752-5528
>
> **********
> Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
>
>
>
>
> This email contains CONFIDENTIAL information intended only for the use of the addressee(s) named above. If you are 
> not the intended recipient of this email, you are hereby notified that any dissemination or copying of this email is 
> strictly prohibited. If you have received this email in error, please notify us by reply email and delete this email 
> from your records. Furthermore, the contents of this email do not necessarily represent official policy of Flagler 
> College.

Attachment: smime.p7s
Description: