Re: Password Cracking & Consequences

[Christian Wilson <Christian.Wilson () ITS MONASH EDU AU>]

Theresa,

On Fri, Aug 27, 2004 at 08:29:17AM -0400, Theresa M Rowe wrote:
> I just cannot imagine even trying that in our culture.  I am
> surprise that this is being done at some organizations.  Can
> you share more specifics about the process:
> What campus involvement did you get prior to making the
> decision - this couldn't have been just an IT decision.
> How did you market it?
> How did your faculty react?

We have an IT Security Policy (everyone I believe can read it, its located
at http://www.adm.monash.edu.au/unisec/pol/itec13.html).

Things like cracking passwords/finding security vulnerabilities and exposing
such vulnerabilities can be determined from our policy via the following
clause:

"10.2 Monitoring will be undertaken routinely by ITS Authorized Staff in
the normal course of their duties to maintain technical security and
operational efficiency of the system/service. Any extraordinary action
taken to monitor IT services must be authorized by the Executive
Director, ITS."

So basically issues regarding technical security, the cracking of usernames
and passswords would fall under this.

Our IT Security Policy has been approved by the University IT Policy group,
so thats how we can justify doing what you are asking.

Perhaps things are different in Australia as opposed to the US? I don't know?
I'd be interested in seeing what people on list think about our policy.

Hope this helps
Christian.
--
Christian Wilson
IT Security and Risk Manager, Infrastructure Services
Information Technology Services, Monash University - Clayton
Phone: +61 3 990 51187

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.