Re: Email account management for alumni

[Dave Koontz <dkoontz () MBC EDU>]

Great question Gary.  The only answer I can offer is that everyone's mileage
will certainly vary here, and what works for one site may not work for
another.  We've had GREAT success with our system... But... Clearly each of
us must analyze the risks associated with the level of access that any given
user/group requires to make proper decisions.

In our environment, all transcript requests must go through our Registrar's
office, which are not free nor readily available online.  It sounds like you
are not so lucky.  If any of these users in question require access to any
type of data you would consider "confidential" information, then I believe
you have no choice but to treat them like any other "administrative" system
user, and require whatever user verification schemes you currently require
of those "administrative" users to reset their passwords, which are
hopefully much more restrictive.  Do this a time or two, and I hope /
believe these users will actually take a vested interested in maintaining
their own information.


-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU]
Sent: Wednesday, January 25, 2006 10:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Email account management for alumni

Dave Koontz wrote:

> Given the limited network access rights most students / alumni and
> other non administrative users have in our network, we opted to write
> our own Web Based Password Reset form for these users.  It works
> similar to some high-dollar commerical software. We see this as farily
> minimal risk, since in our environment these user accounts do not have
> rights to any adminstrative software or critical services.

What about folks who want to make things like transcripts available online?