Re: Making the case for security policies and personnel

[Ced Bennett <Ced.Bennett () STANFORD EDU>]

Mark:
Thanks for replying to my PS question.  We've had a DCAA audit that says we
should go to password aging (but there is a similar reluctance here - even
with the CFO).  I've been thinking about associating the policy, if we must
do one, with the related risk of the account holder (that is, the depth and
breadth of assets the account can reach).  So, for example, maybe no aging
for students; maybe 90 or 180 days for the average white collar with access
to one or more administrative systems, maybe more frequently (or better, a
token-based, two-factor system) for system admin's.

The potential upside of changing passwords more frequently is often offset
by the downside of human behavior (they will mitigate the problem for
themselves by following other, even worse, security practices regarding the
security of the password itself).

In almost no case would I think of automating compliance (that is, actually
aging the password so it can't be used - except for the token-based system
which forces the issue at every logon).

I actually had a staff member try to find research on the topic - including
among all the PhD dissertations around here - and also asked some outside
firms we've used if they'd seen any research-oriented work on the topic.
Our conclusion is that no one seems to have done definitive research on the
topic (so there's an idea for any topic-less PhD candidates out there - it
may be an interesting computer science / sociology / psychology project).

Just a thought or two - and thanks again for sharing,
Ced

| -----Original Message-----
| From: The EDUCAUSE Security Discussion Group Listserv
| [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bruhn, Mark S.
| Sent: Friday, February 14, 2003 6:55 AM
| To: SECURITY () LISTSERV EDUCAUSE EDU
| Subject: Re: [SECURITY] Making the case for security policies
| and personnel
|
|
| Audit wants password aging (expiration).  Over the years, we
| haven't seen any real benefit to that, and favor requiring
| users to consistently pick a really good password instead.
| We do know that password aging causes an additional burden on
| our support centers, esp. at semester start time, and after
| holiday breaks because students forget their passwords when
| they are away.  Some of us have discussed before whether
| there has been a study done related to password expiration,
| but no one recalls seeing one.
|
| Having said that, we do expire passwords on our mainframe, at
| 60 days. Once that system is gone -- we've had a 5-year plan
| to retire that for 10 years -- and we get our central
| authentication scheme broadly used, we will no longer have
| aging in any significant way.  But, I've asked our
| IU(Yale)CAS team to include that as an option in our scheme
| anyway, along with intruder lockout.  And, our scheme has
| fairly stringent password-forming rules.  Our
| standard/central password change page is at https://password.iu.edu/.
|
| M.
|
| --
| Mark S. Bruhn, CISSP
| Chief IT Security and Policy Officer
| Office of the Vice President for Information Technology and
| CIO Indiana University 812-855-0326
|
| Incidents involving IU IT resources: it-incident () iu edu
| Complaints/kudos about OVPIT/UITS services: itombuds () iu edu
|
|
|
|
| -----Original Message-----
| From: Ced Bennett [mailto:Ced.Bennett () Stanford edu]
| Sent: Friday, February 14, 2003 9:05 AM
| To: SECURITY () LISTSERV EDUCAUSE EDU
| Subject: Re: [SECURITY] Making the case for security policies
| and personnel
|
|
| Mark:
| I concur with all your comments about "keep it high level."
| And in talking with people on campus who are more reluctant
| to understand or care, I use metaphor ("would you come to
| work in the morning and leave the front door of your house
| open?  Or closed, but unlocked?").
|
| I actually have a dotted-line relationship with the Director
| of Internal Audit and it has been invaluable.  Among other
| things, he often offers his help in talking with offices that
| need to be persuaded of the right way to do things.
|
| Cheers,
| Ced
|
| PS:  What are the two positions (between you and audit) on
| password aging (I missed the thread here).
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Cedric Bennett          Ph:   650/723-0728      Fax:  650/723-2011
| Director of Information Security Services
|   Information Technology Systems & Services
| Stanford University
| Polya Hall, Room 103
| 255 Panama Street
| Stanford, CA 94305-3055          Ced.Bennett () Stanford edu
|
|
|
| -----Original Message-----
| From: The EDUCAUSE Security Discussion Group Listserv
| [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bruhn, Mark S.
| Sent: Thursday, February 13, 2003 12:12 PM
| To: SECURITY () LISTSERV EDUCAUSE EDU
| Subject: Re: [SECURITY] Making the case for security policies
| and personnel
|
|
| I just came across this, and recognized it was most likely
| addressed to me!  Sorry for the delay.
|
| I have several presentations that we've done for the IU Board
| of Trustees, but those were done in closed session and so I
| can't share them.  I do think there is good information in a
| presentation that our CIO did at EDUCAUSE 2001.  See that at
| http://www.indiana.edu/~ovpit/presentations/.
|
| The key, as I've said before, and this might be obvious, is
| to keep things high level.  Discuss institutional risks and
| not individual security vulnerabilities.  The Dean of SPEA
| doesn't care about inetd or NETBios vulnerabilities.  The
| Dean of SPEA cares that student grades might very well be
| exposed.  The Dean of SPEA cares that his email could very
| well be read by others.  The Dean of SPEA cares that he might
| have to answer pointed questions from the media about why a
| system was mismanaged -- reporters are getting much more wise
| and are asking questions like "well, if the vulnerability
| exploited was such-and-such, there was a patch issued last
| August.  Why wasn't that applied?"
|
| Anecdotally:  it happened here just like that.  In the media
| "event" related to one of our two publicized incidents in
| 2001, the Dean said "our technicians have informed me that
| the patch you cite wasn't applicable to our server."  I was
| at the table under the lights with him, and all I could do
| was sit there, knowing he was wrong, and waiting for someone
| to call him on it.  I just hoped they didn't ask me if I
| agreed.  They didn't at the time, but a reporter called me
| immediately after and asked me about it, and I said that he
| needed to call the Dean because I wasn't intimately familiar
| with their technology suite.  So glad I took those classes in
| handling the media.
|
| By the way, when we report to the Trustees in closed session,
| the Director of Internal Audit is also there, and so our
| relationship with him and his office is key.  They do look to
| him periodically for comment and input on what we are saying,
| and he has always absolutely concurred. He has said numerous
| times "yes, that is definitely consistent with what we saw in
| our last round of audits."  I also get copied on every audit
| report, and we're asked to comment on many of them where IT
| security and policy issues are at issue.  It is very frequent
| that our Security Office is mentioned in these as a source
| for information or security
| tools.   (They and we still disagree on password aging, as I've said
| here before...but agree on most everything else :)
|
| M.
|
| --
| Mark S. Bruhn, CISSP
| Chief IT Security and Policy Officer
| Office of the Vice President for Information Technology and
| CIO Indiana University 812-855-0326
|
| Incidents involving IU IT resources: it-incident () iu edu
| Complaints/kudos about OVPIT/UITS services: itombuds () iu edu
|
|
|
|
| -----Original Message-----
| From: Dorette Kerian [mailto:dorette_kerian () MAIL UND NODAK EDU]
| Sent: Friday, February 07, 2003 6:46 PM
| To: SECURITY () LISTSERV EDUCAUSE EDU
| Subject: [SECURITY] Making the case for security policies and
| personnel
|
|
| Mark,
| I heard you speak at Net@edu about making the case for
| security policies and personnel on your campus.  It was
| helpful information.  You talked about the importance of
| speaking in CEO or cabinet talk rather than technical talk.
| You also mentioned that you may have a slide show you used on
| your campus. I'm having difficulty getting traction with the
| administration on this issue so I'm looking for other
| approaches.  I'd sure appreciate any examples, models you
| would be willing to share. Thanks, Mark. Best wishes, Dorette
|
| Dorette Kerian, Director, ITSS
| Information Technology Systems and Services
| University of North Dakota and Higher Education Computer
| Network dorette_kerian () mail und nodak edu 701.777-3880, fax
| 701.777-3978
|
| **********
| Participation and subscription information for this EDUCAUSE
| Discussion Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.