Educause Security Discussion mailing list archives
Re: Making the case for security policies and personnel
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Fri, 14 Feb 2003 09:54:55 -0500
Audit wants password aging (expiration). Over the years, we haven't seen any real benefit to that, and favor requiring users to consistently pick a really good password instead. We do know that password aging causes an additional burden on our support centers, esp. at semester start time, and after holiday breaks because students forget their passwords when they are away. Some of us have discussed before whether there has been a study done related to password expiration, but no one recalls seeing one. Having said that, we do expire passwords on our mainframe, at 60 days. Once that system is gone -- we've had a 5-year plan to retire that for 10 years -- and we get our central authentication scheme broadly used, we will no longer have aging in any significant way. But, I've asked our IU(Yale)CAS team to include that as an option in our scheme anyway, along with intruder lockout. And, our scheme has fairly stringent password-forming rules. Our standard/central password change page is at https://password.iu.edu/. M. -- Mark S. Bruhn, CISSP Chief IT Security and Policy Officer Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Ced Bennett [mailto:Ced.Bennett () Stanford edu] Sent: Friday, February 14, 2003 9:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Making the case for security policies and personnel Mark: I concur with all your comments about "keep it high level." And in talking with people on campus who are more reluctant to understand or care, I use metaphor ("would you come to work in the morning and leave the front door of your house open? Or closed, but unlocked?"). I actually have a dotted-line relationship with the Director of Internal Audit and it has been invaluable. Among other things, he often offers his help in talking with offices that need to be persuaded of the right way to do things. Cheers, Ced PS: What are the two positions (between you and audit) on password aging (I missed the thread here). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cedric Bennett Ph: 650/723-0728 Fax: 650/723-2011 Director of Information Security Services Information Technology Systems & Services Stanford University Polya Hall, Room 103 255 Panama Street Stanford, CA 94305-3055 Ced.Bennett () Stanford edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bruhn, Mark S. Sent: Thursday, February 13, 2003 12:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Making the case for security policies and personnel I just came across this, and recognized it was most likely addressed to me! Sorry for the delay. I have several presentations that we've done for the IU Board of Trustees, but those were done in closed session and so I can't share them. I do think there is good information in a presentation that our CIO did at EDUCAUSE 2001. See that at http://www.indiana.edu/~ovpit/presentations/. The key, as I've said before, and this might be obvious, is to keep things high level. Discuss institutional risks and not individual security vulnerabilities. The Dean of SPEA doesn't care about inetd or NETBios vulnerabilities. The Dean of SPEA cares that student grades might very well be exposed. The Dean of SPEA cares that his email could very well be read by others. The Dean of SPEA cares that he might have to answer pointed questions from the media about why a system was mismanaged -- reporters are getting much more wise and are asking questions like "well, if the vulnerability exploited was such-and-such, there was a patch issued last August. Why wasn't that applied?" Anecdotally: it happened here just like that. In the media "event" related to one of our two publicized incidents in 2001, the Dean said "our technicians have informed me that the patch you cite wasn't applicable to our server." I was at the table under the lights with him, and all I could do was sit there, knowing he was wrong, and waiting for someone to call him on it. I just hoped they didn't ask me if I agreed. They didn't at the time, but a reporter called me immediately after and asked me about it, and I said that he needed to call the Dean because I wasn't intimately familiar with their technology suite. So glad I took those classes in handling the media. By the way, when we report to the Trustees in closed session, the Director of Internal Audit is also there, and so our relationship with him and his office is key. They do look to him periodically for comment and input on what we are saying, and he has always absolutely concurred. He has said numerous times "yes, that is definitely consistent with what we saw in our last round of audits." I also get copied on every audit report, and we're asked to comment on many of them where IT security and policy issues are at issue. It is very frequent that our Security Office is mentioned in these as a source for information or security tools. (They and we still disagree on password aging, as I've said here before...but agree on most everything else :) M. -- Mark S. Bruhn, CISSP Chief IT Security and Policy Officer Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Dorette Kerian [mailto:dorette_kerian () MAIL UND NODAK EDU] Sent: Friday, February 07, 2003 6:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Making the case for security policies and personnel Mark, I heard you speak at Net@edu about making the case for security policies and personnel on your campus. It was helpful information. You talked about the importance of speaking in CEO or cabinet talk rather than technical talk. You also mentioned that you may have a slide show you used on your campus. I'm having difficulty getting traction with the administration on this issue so I'm looking for other approaches. I'd sure appreciate any examples, models you would be willing to share. Thanks, Mark. Best wishes, Dorette Dorette Kerian, Director, ITSS Information Technology Systems and Services University of North Dakota and Higher Education Computer Network dorette_kerian () mail und nodak edu 701.777-3880, fax 701.777-3978 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Making the case for security policies and personnel Dorette Kerian (Feb 07)
- <Possible follow-ups>
- Re: Making the case for security policies and personnel Dorette Kerian (Feb 07)
- Re: Making the case for security policies and personnel Jim Wilcox (Feb 07)
- Re: Making the case for security policies and personnel Tracy Mitrano (Feb 07)
- Re: Making the case for security policies and personnel Jim Moore (Feb 10)
- Re: Making the case for security policies and personnel Bruhn, Mark S. (Feb 13)
- Re: Making the case for security policies and personnel Ced Bennett (Feb 14)
- Re: Making the case for security policies and personnel Bruhn, Mark S. (Feb 14)
- Re: Making the case for security policies and personnel James Conley (Feb 14)
- Re: Making the case for security policies and personnel Ced Bennett (Feb 18)
- Re: Making the case for security policies and personnel Scott Bradner (Feb 19)