Educause Security Discussion mailing list archives
Re: Password Security
From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Tue, 23 Oct 2007 10:08:07 -0700
Dear Kevin, There are three ways to handle risk. Namely, remediate, accept, and assign. How about proposing to the department that you understand if they wish to use this practice, however, you would like to ensure that each employee be required to undergo security awareness training prior to receiving the card or access to their payroll and annual benefits account. (Thus, you are remediating, but then also accepting residual risk.) I would say that this training should specifically address the system that the employee is about to use, and understand the serious risks and consequences should the personal information be stolen or used inappropriately. In that training, you would address the risks of identity theft, inappropriate changes to employee payroll/benefits, etc. Now, in a documented letter to the department head, you would state that you do not support this practice, but recommend the training described above in order to mitigate the risk of employee information being inadvertently stolen. Make the department head sign a letter stating that they will take the responsibility to ensure that each employee undergo this training prior to being granted access to the payroll/benefits system. Then, once the employee undergoes training, make them sign a waiver indicating that they understand the risk associated with writing passwords down, and that the University will not take responsibility for this information being lost or stolen as associated with the employee's carelessness. You are now assigning the risk to the employee and back to the department. Because I do not know the structure of this department in relation to your office, all of this information would have to be altered to fit the exact circumstances of your situation. Anyway, interesting discussion. I will be interested to hear the input of the rest of the listserv. Sarah Stevens Stevens Technologies, Inc ________________________________ From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] Sent: Tue 10/23/2007 9:43 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Password Security Hi All: I am currently fighting an internal battle and wanted to do a sanity check to see if I am being too stubborn with my stance. Scenario: I have a department that wants to give their employees information on business sized cards. There is a slot on the card for people to write down their passwords to their payroll and annual benefits account. The idea is for the less computer literate staff to be able to keep these handy (in their wallets or purses let's say) so that they can refer to them as needed. For years we have been teaching people to not write their passwords down and while some people may do this on their own I feel that by telling them to do something that is so "anti-best practice" we are increasing our overall liability if any of these accounts are breached. Btw - I have discussed many alternative approaches with the department - none of which they are interested in hearing. Thoughts? (can be directed to me personally vs. the listserve if you prefer) -Kevin Kevin L. McLaughlin CISM, CISSP, PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) 513-558-ISEC (department) CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful.
Current thread:
- Password Security Mclaughlin, Kevin (mclaugkl) (Oct 23)
- <Possible follow-ups>
- Re: Password Security Samuel Young (Oct 23)
- Re: Password Security Gary Dobbins (Oct 23)
- Re: Password Security Wyman Miles (Oct 23)
- Re: Password Security Sarah Stevens (Oct 23)
- Re: Password Security Gene Spafford (Oct 23)
- Re: Password Security Vicky Walker (Oct 23)
- Re: Password Security Roger Safian (Oct 23)
- Re: Password Security Mclaughlin, Kevin (mclaugkl) (Oct 23)
- Re: Password Security Logan, Kimberly (loganks) (Oct 23)
- Re: Password Security Steven Alexander (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security Doug Markiewicz (Oct 23)
- Re: Password Security Jim Dillon (Oct 23)
- Re: Password Security David Seidl (Oct 23)
(Thread continues...)