Educause Security Discussion mailing list archives

Re: Authorizing password changes in a health science center

From: Steve Devoti <devoti () WISC EDU>
Date: Tue, 13 Feb 2007 15:33:17 -0600

David,

At my former employer, a large financial institution, we handled it this
way.  We provided online password reset functionality via challenge
questions.  If someone could not answer the challenge question(s) we
required them to present their badge in person at the security
administration help desk.

This worked fine of course if the user happened to work at the home office.
If they worked at a remote location or were traveling  a responsible party,
usually a company officer, would send an email to security administration
who would then contact the individual via phone.  There are of course at
least a couple of ways this could go wrong, but we had plans to move to
digitally signed emails which would cover the biggest gap.

This process replaced the old give me the last 4 digits of your SSN way.

Hope this helps.

Steve

Steve Devoti

Senior IT Architect

University of Wisconsin-Madison (DoIT)

1210 W. Dayton St

Madison, WI 53706

(608) 265-3997

devoti () wisc edu





From: David Grisham [mailto:DGrisham () SALUD UNM EDU]
Sent: Tuesday, February 13, 2007 2:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Authorizing password changes in a health science center



The hospital has for a long time required a facsimile of the identification
badge each time a password change is requested.  It is a new century end
programs like Photoshop presented a new risk to that process.  We do not
want to ask for personal information on any email or phone call request.
(Our staff could be around others who might take advantage of that
information, if overheard)
We have added password challenge questions for half of our systems.  The
patient systems cannot be placed into a web page challenge at this time.
What do your account groups do to verify the identity of some one needing a
password change to systems with confidential information?





Cheers. -grish
David D. Grisham, Ph.D., CISM, CHS, CHSP
Manager, IT Security, UNM Hospitals, Information Technology
1650 University Blvd, S.500, Albuquerque, NM 87102
Ph: (505) 272-5657 FAX 272-3305
Work email: dgrisham () salud unm edu
Adjunct Faculty, Computer Science, UNM
Academic & personal email: dave () unm edu

Current thread:

Authorizing password changes in a health science center David Grisham (Feb 13)
- <Possible follow-ups>
- Re: Authorizing password changes in a health science center Penn, Blake (Feb 13)
- Re: Authorizing password changes in a health science center Steve Devoti (Feb 13)