Educause Security Discussion mailing list archives
Re: Authorizing password changes in a health science center
From: Steve Devoti <devoti () WISC EDU>
Date: Tue, 13 Feb 2007 15:33:17 -0600
David, At my former employer, a large financial institution, we handled it this way. We provided online password reset functionality via challenge questions. If someone could not answer the challenge question(s) we required them to present their badge in person at the security administration help desk. This worked fine of course if the user happened to work at the home office. If they worked at a remote location or were traveling a responsible party, usually a company officer, would send an email to security administration who would then contact the individual via phone. There are of course at least a couple of ways this could go wrong, but we had plans to move to digitally signed emails which would cover the biggest gap. This process replaced the old give me the last 4 digits of your SSN way. Hope this helps. Steve Steve Devoti Senior IT Architect University of Wisconsin-Madison (DoIT) 1210 W. Dayton St Madison, WI 53706 (608) 265-3997 devoti () wisc edu From: David Grisham [mailto:DGrisham () SALUD UNM EDU] Sent: Tuesday, February 13, 2007 2:40 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Authorizing password changes in a health science center The hospital has for a long time required a facsimile of the identification badge each time a password change is requested. It is a new century end programs like Photoshop presented a new risk to that process. We do not want to ask for personal information on any email or phone call request. (Our staff could be around others who might take advantage of that information, if overheard) We have added password challenge questions for half of our systems. The patient systems cannot be placed into a web page challenge at this time. What do your account groups do to verify the identity of some one needing a password change to systems with confidential information? Cheers. -grish David D. Grisham, Ph.D., CISM, CHS, CHSP Manager, IT Security, UNM Hospitals, Information Technology 1650 University Blvd, S.500, Albuquerque, NM 87102 Ph: (505) 272-5657 FAX 272-3305 Work email: dgrisham () salud unm edu Adjunct Faculty, Computer Science, UNM Academic & personal email: dave () unm edu
Current thread:
- Authorizing password changes in a health science center David Grisham (Feb 13)
- <Possible follow-ups>
- Re: Authorizing password changes in a health science center Penn, Blake (Feb 13)
- Re: Authorizing password changes in a health science center Steve Devoti (Feb 13)