Re: SECURITY Digest - 26 Aug 2010 to 27 Aug 2010 (#2010-182)

[Erwin Carrow <Erwin.Carrow () USG EDU>]

I am in agreement with much that has been stated - but the criticality regarding HIPAA compliance can be answered with 
one question.

"Is the information being communicated / exchanged via 'trusted' paths (source, destination, access control, data at 
rest, etc)?"

If you can effectively justify and defend your response -- compliance is not an issue.  From my experience most cannot 
and therefore encryption is not just requirement, but an act of due diligence / standard of care!

-Chris

Erwin (Chris) Louis Carrow,
CISSP, INFOSEC, CCSP, CCNP, OCM
IT Audit Director, Office of Internal Audit and Compliance
Board of Regents, University System of Georgia Office of Internal Audit and Compliance
270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334
(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax
Email: erwin.carrow () usg edu

**********CONFIDENTIALITY NOTICE****************
This e-mail and any attachments may contain private, confidential, and privileged information for the sole use of the 
intended recipient. If you are not the intended recipient, any dissemination, distribution or copying is strictly 
prohibited. If you think that you have received this e-mail message in error, please contact the sender, keep the 
contents confidential and immediately delete the message and any attachments from your system.
***********************************************


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY 
automatic digest system
Sent: Saturday, August 28, 2010 12:00 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: SECURITY Digest - 26 Aug 2010 to 27 Aug 2010 (#2010-182)

There are 7 messages totalling 1706 lines in this issue.

Topics of the day:

  1. HIPAA Requires Encryption? (2)
  2. Lockout Settings (5)

----------------------------------------------------------------------

Date:    Thu, 26 Aug 2010 22:17:48 -0600
From:    Ozzie Paez <ozpaez () SPRYNET COM>
Subject: Re: HIPAA Requires Encryption?

This is a multi-part message in MIME format.

------=_NextPart_000_0660_01CB456C.8499FD60
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dear Mike,

Yours is a very logical approach and I cannot disagree with you technically,
however, the regulatory environment has factors, which often drive a
decision.  When it comes to sensitive personal information such as what we
deal with in HIPAA, there is always the issue of liability and its
attractive effects on attorneys.  In that light, some things are simply
expected and when they are not there, the organization's liability based on
perception increases significantly.  Explaining to a jury why technically
encryption is not necessary takes time and exposes any technical argument to
a counter technical argument.  In the end, the jury may well throw up its
hands and cancel the experts out, which leaves the attorney with the simple
question of "How could they justify leaving this data unencrypted just to
save a few dollars?"  or "Everyone knows that encryption protects privacy
and yet they did not care enough to spend a few dollars more to protect my
clients' most private information?"  Anyway, my two cents worth is that it
is just not worth the risk because encryption has become a kind of expected
elixir, which, whether effective or not, affects overall risks and
liabilities -

Great points in your e-mail though -

Ozzie



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Thursday, August 26, 2010 9:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HIPAA Requires Encryption?



Doesn't the question of "should we encrypt" vs "do we have to encrypt" with
ANY kind of data, (HIPAA, or any other) also depend on the state of the
data?  Is the data "at rest" and other protections are already in
place?.....or is the data "in transit" and open? (ie, being e-mailed or
copied across WAN links?).....or is the data "in use", and still protected
because there's an authorized user monitoring the screen...??



I used to deal with highly sensitive data and for us, it always came down to
"....it depends...".  Policy always had to come down to the circumstances
behind the how, why, where, and when associated with the use of the
data....trying to adhere to a "one policy fits all" situation was a losing
proposition....



Just my $.02.....



M



  _____

From: The EDUCAUSE Security Constituent Group Listserv
[SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ozzie Paez
[ozpaez () SPRYNET COM]
Sent: Thursday, August 26, 2010 9:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HIPAA Requires Encryption?

Hey Matthew,

HIPAA does not require it, but any reasonable cost estimate will show that
it is worth it.  The risks and costs of dealing with unencrypted lost data
is so much higher that it is a risk not worth taking, particularly if you
already have the infrastructure in place.  Hope it helps,

Ozzie Paez
SSE/SAIC
303-332-5363



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Link
Sent: Thursday, August 26, 2010 2:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HIPAA Requires Encryption?



Very recently, I inherited the job of focusing information security efforts.
In the process of upgrade of a SQL server, a question has arisen regarding
the provision in HIPAA (Addressable) to encrypt EPHI at rest on both the
server and the backup media.  It does come at some additional cost, though
it's manageable.  Before proceeding, however, I thought I'd ask if anyone
has suggestions.



Thanks,

--Matthew Link.

  Director, User Services

  Information Services, UCM

  660-543-8063

  link () ucmo edu


--
This message has been scanned for viruses and
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is
believed to be clean.


--
This message has been scanned for viruses and
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is
believed to be clean.


------=_NextPart_000_0660_01CB456C.8499FD60
Content-Type: text/html;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" =
xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40"; =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/"; =
xmlns:rtc=3D"http://microsoft.com/officenet/conferencing"; =
xmlns:D=3D"DAV:" xmlns:Repl=3D"http://schemas.microsoft.com/repl/"; =
xmlns:mt=3D"http://schemas.microsoft.com/sharepoint/soap/meetings/"; =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml"; =
xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd"; =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/"; =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/"; =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#"; =
xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp"; =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc"; =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"; =
xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"=
 xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#"; =
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/"; =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/"; =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"; =
xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/soap"; =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile"; =
xmlns:udcp2p=3D"http://schemas.microsoft.com/data/udc/parttopart"; =
xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/"; =
xmlns:dsss=3D"http://schemas.microsoft.com/office/2006/digsig-setup"; =
xmlns:dssi=3D"http://schemas.microsoft.com/office/2006/digsig"; =
xmlns:mdssi=3D"http://schemas.openxmlformats.org/package/2006/digital-sig=
nature" =
xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006=
" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; =
xmlns:mrels=3D"http://schemas.openxmlformats.org/package/2006/relationshi=
ps" xmlns:spwp=3D"http://microsoft.com/sharepoint/webpartpages"; =
xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types"=
 =
xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/services/2006/messag=
es" =
xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/=
" =
xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPortalServer/Pub=
lishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" =
xmlns:st=3D"&#1;" xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style id=3DowaTempEditStyle>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"Lucida Grande";}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        mso-believe-normal-left:yes;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.msochpdefault, li.msochpdefault, div.msochpdefault
        {mso-style-name:msochpdefault;
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Times New Roman","serif";}
span.emailstyle18
        {mso-style-name:emailstyle18;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
-->
</style>
<![if mso 9]>
<style>
p.MsoNormal
        {margin-left:3.0pt;}
</style>
<![endif]><!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'margin-left:3.0pt;margin-top:
3.0pt;margin-right:3.0pt;margin-bottom:.75pt'>

<div class=3DWordSection1>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Dear Mike,<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Yours is a very logical approach and I cannot disagree =
with you
technically, however, the regulatory environment has factors, which =
often drive
a decision.&nbsp; When it comes to sensitive personal information such =
as what
we deal with in HIPAA, there is always the issue of liability and its
attractive effects on attorneys.&nbsp; In that light, some things are =
simply
expected and when they are not there, the organization&#8217;s liability =
based on
perception increases significantly.&nbsp; Explaining to a jury why =
technically
encryption is not necessary takes time and exposes any technical =
argument to a
counter technical argument.&nbsp; In the end, the jury may well throw up =
its
hands and cancel the experts out, which leaves the attorney with the =
simple
question of &#8220;How could they justify leaving this data unencrypted =
just to
save a few dollars?&#8221;&nbsp; or &#8220;Everyone knows that =
encryption
protects privacy and yet they did not care enough to spend a few dollars =
more
to protect my clients&#8217; most private information?&#8221;&nbsp; =
Anyway, my
two cents worth is that it is just not worth the risk because encryption =
has
become a kind of expected elixir, which, whether effective or not, =
affects
overall risks and liabilities &#8211; <o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Great points in your e-mail though &#8211; =
<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ozzie<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0in 0in 0in'>

<p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> The =
EDUCAUSE
Security Constituent Group Listserv =
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] <b>On
Behalf Of </b>SCHALIP, MICHAEL<br>
<b>Sent:</b> Thursday, August 26, 2010 9:34 PM<br>
<b>To:</b> SECURITY () LISTSERV EDUCAUSE EDU<br>
<b>Subject:</b> Re: [SECURITY] HIPAA Requires =
Encryption?<o:p></o:p></span></p>

</div>

</div>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<div>

<div>

<p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
Doesn't
the question of &quot;should we encrypt&quot; vs &quot;do we have to
encrypt&quot; with ANY kind of data, (HIPAA, or any other) also depend =
on the
state of the data?&nbsp; Is the data &quot;at rest&quot; and other =
protections
are already in place?.....or is the data &quot;in transit&quot; and =
open? (ie,
being e-mailed or copied across WAN links?).....or is the data &quot;in
use&quot;, and still protected because there's an authorized user =
monitoring
the screen...??<o:p></o:p></span></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
&nbsp;<o:p></o:p></span></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
I used
to deal with highly sensitive data and for us, it always came down to
&quot;....it depends...&quot;.&nbsp; Policy always had to come down to =
the
circumstances behind the how, why, where, and when associated with the =
use of
the data....trying to adhere to a &quot;one policy fits all&quot; =
situation was
a losing proposition....<o:p></o:p></span></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
&nbsp;<o:p></o:p></span></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
Just my
$.02.....<o:p></o:p></span></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
&nbsp;<o:p></o:p></span></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
M<o:p></o:p></span></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
&nbsp;<o:p></o:p></span></p>

</div>

<div id=3DdivRpF264755>

<div class=3DMsoNormal align=3Dcenter =
style=3D'margin:0in;margin-bottom:.0001pt;
text-align:center'><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:black'>

<hr size=3D2 width=3D"100%" align=3Dcenter>

</span></div>

<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
12.0pt;margin-left:0in'><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:black'>From:</span></b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:black'> The EDUCAUSE Security Constituent Group Listserv
[SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ozzie Paez =
[ozpaez () SPRYNET COM]<br>
<b>Sent:</b> Thursday, August 26, 2010 9:19 PM<br>
<b>To:</b> SECURITY () LISTSERV EDUCAUSE EDU<br>
<b>Subject:</b> Re: [SECURITY] HIPAA Requires =
Encryption?<o:p></o:p></span></p>

</div>

<div>

<div>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hey Matthew,</span><span =
style=3D'color:black'><o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>HIPAA does not require it, but any reasonable cost =
estimate will
show that it is worth it.&nbsp; The risks and costs of dealing with =
unencrypted
lost data is so much higher that it is a risk not worth taking, =
particularly if
you already have the infrastructure in place.&nbsp; Hope it =
helps,</span><span
style=3D'color:black'><o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ozzie Paez<br>
SSE/SAIC<br>
303-332-5363</span><span style=3D'color:black'><o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:black'>&nbsp;<o:p></o:p></span></p>

<div>

<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0in 0in 0in'>

<p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
From:</span></b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
 The
EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] <b>On Behalf Of </b>Matthew =
Link<br>
<b>Sent:</b> Thursday, August 26, 2010 2:19 PM<br>
<b>To:</b> SECURITY () LISTSERV EDUCAUSE EDU<br>
<b>Subject:</b> [SECURITY] HIPAA Requires Encryption?</span><span
style=3D'color:black'><o:p></o:p></span></p>

</div>

</div>

<p class=3DMsoNormal><span =
style=3D'color:black'>&nbsp;<o:p></o:p></span></p>

<p><span style=3D'font-family:"Lucida Grande";color:black'>Very =
recently, I
inherited the job of focusing information security efforts. &nbsp;In the
process of upgrade of a SQL server, a question has arisen regarding the
provision in HIPAA (Addressable) to encrypt EPHI at rest on both the =
server and
the backup media. &nbsp;It does come at some additional cost, though =
it's
manageable. &nbsp;Before proceeding, however, I thought I'd ask if =
anyone has
suggestions.</span><span style=3D'color:black'> <o:p></o:p></span></p>

<p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span
style=3D'color:black'>&nbsp;<o:p></o:p></span></p>

<p><span style=3D'font-family:"Lucida =
Grande";color:black'>Thanks,</span><span
style=3D'color:black'> <o:p></o:p></span></p>

<p><span style=3D'font-family:"Lucida Grande";color:black'>--Matthew =
Link.</span><span
style=3D'color:black'> <o:p></o:p></span></p>

<p><span style=3D'font-family:"Lucida =
Grande";color:black'>&nbsp;&nbsp;Director,
User Services</span><span style=3D'color:black'> <o:p></o:p></span></p>

<p><span style=3D'font-family:"Lucida =
Grande";color:black'>&nbsp;&nbsp;Information
Services, UCM</span><span style=3D'color:black'> <o:p></o:p></span></p>

<p><span style=3D'font-family:"Lucida =
Grande";color:black'>&nbsp;&nbsp;660-543-8063</span><span
style=3D'color:black'> <o:p></o:p></span></p>

<p><span style=3D'font-family:"Lucida =
Grande";color:black'>&nbsp;&nbsp;link () ucmo edu</span><span
style=3D'color:black'> <o:p></o:p></span></p>

</div>

<p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>=
<br>
-- <br>
This message has been scanned for viruses and <br>
dangerous content by <a href=3D"http://www.mailscanner.info/"; =
target=3D"_blank"><b>MailScanner</b></a>,
and is <br>
believed to be clean. <o:p></o:p></span></p>

</div>

</div>

<p class=3DMsoNormal style=3D'margin:0in;margin-bottom:.0001pt'><br>
-- <br>
This message has been scanned for viruses and <br>
dangerous content by <a =
href=3D"http://www.mailscanner.info/";><b>MailScanner</b></a>,
and is <br>
believed to be clean. <o:p></o:p></p>

</div>

</body>

</html>

------=_NextPart_000_0660_01CB456C.8499FD60--

------------------------------

Date:    Fri, 27 Aug 2010 10:25:16 -0400
From:    Faith Mcgrath <faith.mcgrath () YALE EDU>
Subject: Re: HIPAA Requires Encryption?

As part of your risk assessment you may also want to review the HITECH=20
regs on
breach notification for unsecured PHI and those specifications for=20
encryption for both data at rest and in motion (and for data=20
destruction). -Faith

_____________________
45 CFR Parts 160 and 164
Breach Notification for Unsecured Protected Health Information; Interim=20
Final Rule
http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

[pg 42742-42743]
Protected health information (PHI) is rendered unusable, unreadable, or=20
indecipherable to unauthorized individuals if one or more of the=20
following applies:
(a) Electronic PHI has been encrypted as specified in the HIPAA Security=20
Rule by the use of an algorithmic process to transform data into a form=20
in which there is a low probability of assigning meaning without use of=20
a confidential process or key-2 and such confidential process or key=20
that might enable decryption has not been breached. To avoid a breach of=20
the confidential process or key, these decryption tools should be stored=20
on a device or at a location separate from the data they are used to=20
encrypt or decrypt. The encryption processes identified below have been=20
tested by the National Institute of Standards and Technology (NIST) and=20
judged to meet this standard.
        (i) Valid encryption processes for data at rest are consistent with=20
NIST Special Publication 800-11, Guide to Storage Encryption=20
Technologies for End User Devices.3 4
        (ii) Valid encryption processes for data in motion are those which=20
comply, as appropriate, with NIST Special Publications 800-52,=20
Guidelines for the Selection and Use of Transport Layer Security (TLS)=20
Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL=20
VPNs, or others which are Federal Information Processing Standards=20
(FIPS) 140=C2-2 validated.5
(b) The media on which the PHI is stored or recorded have been destroyed=20
in one of the following ways:
        (i) Paper, film, or other hard copy media have been shredded or=20
destroyed such that the PHI cannot be read or otherwise cannot be=20
reconstructed. Redaction is specifically excluded as a means of data=20
destruction.
        (ii) Electronic media have been cleared, purged, or destroyed=20
consistent with NIST Special Publication 800-88, Guidelines for Media=20
Sanitization,6 such that the PHI cannot be retrieved."

--=20
Faith McGrath, Compliance Officer
Yale University ITS - Information Security
faith.mcgrath () yale edu
voice: 203.737.4087
security () yale edu || security.yale.edu


Ozzie Paez wrote:
> Dear Mike,
>
> Yours is a very logical approach and I cannot disagree with you
> technically, however, the regulatory environment has factors, which
> often drive a decision. When it comes to sensitive personal information
> such as what we deal with in HIPAA, there is always the issue of
> liability and its attractive effects on attorneys. In that light, some
> things are simply expected and when they are not there, the
> organization=92s liability based on perception increases significantly.
> Explaining to a jury why technically encryption is not necessary takes
> time and exposes any technical argument to a counter technical argument.
> In the end, the jury may well throw up its hands and cancel the experts
> out, which leaves the attorney with the simple question of =93How could
> they justify leaving this data unencrypted just to save a few dollars?=94
> or =93Everyone knows that encryption protects privacy and yet they did =
not
> care enough to spend a few dollars more to protect my clients=92 most
> private information?=94 Anyway, my two cents worth is that it is just n=
ot
> worth the risk because encryption has become a kind of expected elixir,
> which, whether effective or not, affects overall risks and liabilities =
=96
> Great points in your e-mail though =96
>
> Ozzie
>
> *From:* The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *SCHALIP, MICHAEL
> *Sent:* Thursday, August 26, 2010 9:34 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] HIPAA Requires Encryption?
>
> Doesn't the question of "should we encrypt" vs "do we have to encrypt"
> with ANY kind of data, (HIPAA, or any other) also depend on the state o=
f
> the data? Is the data "at rest" and other protections are already in
> place?.....or is the data "in transit" and open? (ie, being e-mailed or
> copied across WAN links?).....or is the data "in use", and still
> protected because there's an authorized user monitoring the screen...??
>
> I used to deal with highly sensitive data and for us, it always came
> down to "....it depends...". Policy always had to come down to the
> circumstances behind the how, why, where, and when associated with the
> use of the data....trying to adhere to a "one policy fits all" situatio=
n
> was a losing proposition....
>
> Just my $.02.....
>
> M
>
> -----------------------------------------------------------------------=
-
> *From:* The EDUCAUSE Security Constituent Group Listserv
> [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ozzie Paez
> [ozpaez () SPRYNET COM]
> *Sent:* Thursday, August 26, 2010 9:19 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] HIPAA Requires Encryption?
>
> Hey Matthew,
>
> HIPAA does not require it, but any reasonable cost estimate will show
> that it is worth it. The risks and costs of dealing with unencrypted
> lost data is so much higher that it is a risk not worth taking,
> particularly if you already have the infrastructure in place. Hope it h=
elps,
> Ozzie Paez
> SSE/SAIC
> 303-332-5363
>
> *From:* The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Matthew Link
> *Sent:* Thursday, August 26, 2010 2:19 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] HIPAA Requires Encryption?
>
> Very recently, I inherited the job of focusing information security
> efforts. In the process of upgrade of a SQL server, a question has
> arisen regarding the provision in HIPAA (Addressable) to encrypt EPHI a=
t
> rest on both the server and the backup media. It does come at some
> additional cost, though it's manageable. Before proceeding, however, I
> thought I'd ask if anyone has suggestions.
>
> Thanks,
>
> --Matthew Link.
>
> Director, User Services
>
> Information Services, UCM
>
> 660-543-8063
>
> link () ucmo edu
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and =
is
> believed to be clean.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and =
is
> believed to be clean.




Save a tree - please consider the environment before printing this email.

Please be aware that email communication can be intercepted in=20
transmission or misdirected. Please consider communicating any sensitive=20
information by telephone, fax or mail. The information contained in this=20
message may be privileged and confidential. If you are NOT the intended=20
recipient, please notify the sender immediately and destroy this=20
message. If you wish to confirm the content of this message and/or the=20
identity of the sender please contact me at the phone number given above.

------------------------------

Date:    Fri, 27 Aug 2010 13:22:27 -0700
From:    "Plesco, Todd" <tplesco () CHAPMAN EDU>
Subject: Lockout Settings

I'd like to get everyone's feedback on their current enterprise settings =
for screen lockout.  This discussion has re emerged for us as we roll =
out Sharepoint with Windows Authentication (rather than through an ISA =
server) which will provide portals (without a second login/password =
requirement) into some applications which maintain sensitive data.  Is =
everyone using a 15 minute screen lockout?  Do you have Sharepoint? =
Browser timeout?

Todd A. Plesco=A0 CISM, CBCP
Chapman University, Director of Information Security
One University Drive, Orange, CA 92866
Phone: (714) 744-7979/Fax: (714) 744-7041


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv =
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob
Sent: Thursday, June 11, 2009 12:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Timeout/Lockout Settings

15 minutes for us as well.  There are a few exceptions like an OU for
admissions counselors.  Lock it when you leave it is ideal. =20

Jacob Barros
Network Administrator
Grace College


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Richard
Sent: Wednesday, June 10, 2009 10:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Timeout/Lockout Settings

I am curious to know how other peer institutions are setting up their
timeout/lockout settings. =20

How are you enforcing the timeouts (pointsec, windows settings,
screensaver,etc)?

How long must the PC be inactive for the timeout setting to take effect?
Do
the time limits vary based on user?

Thanks all!

Adam Richard '05
IT Security Analyst/Operations Specialist

Messiah College
Hoffman 211
(717) 796-1800 x.6570

One College Ave.
Information Technology Services
Box 3055
Grantham, PA 17027

"ITS will never ask you for your password"

------------------------------

Date:    Fri, 27 Aug 2010 13:36:56 -0700
From:    "Radford, Jennifer" <jradford () INTAUDIT UBC CA>
Subject: Re: Lockout Settings

Hi Todd,

> From an internal audit perspective, screen lockouts should be risk based. O=
bviously they are more important depending on the type of data that is invo=
lved and that could potential by viewed / altered by unauthorised parties. =
Sounds like you are dealing with sensitive data but if any of this is regul=
ated data, e.g personally identifiable data, then this may raise the risk e=
ven higher.

Also, consideration should be given to what type of environment is in place=
, e.g. open plan versus closed locked offices.=20

Lastly, users should be educated on the security risks of leaving open scre=
ens unattended and policy should drive behaviour to get employees to 'cntl =
alt delete' before they leave their desk.

Once the above has been considered, management can make an informed decisio=
n about whether to set at 10, 15, 20 etc minutes before screen lock out.

Cheers,

Jen



Jennifer Radford, Senior IT Audit Manager
Internal Audit, UBC
6000 Iona Drive, Vancouver, BC Canada V6T 1L4
Phone:  604-822-6512
Fax:  604-822-9027
E-mail:  Jradford () intaudit ubc ca
Web:  www.intaudit.ubc.ca
The information contained in this e-mail message is strictly confidential a=
nd intended solely for the use of the designated addressee(s). Any unauthor=
ized viewing, disclosure, copying or distribution of this e-mail is prohibi=
ted and may be unlawful. If you have received this e-mail in error, please =
do not read it, reply to the sender immediately to inform us that you are n=
ot the intended recipient, and delete the e-mail from your computer system.=
 Thank you.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LIS=
TSERV.EDUCAUSE.EDU] On Behalf Of Plesco, Todd
Sent: Friday, August 27, 2010 1:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Lockout Settings

I'd like to get everyone's feedback on their current enterprise settings fo=
r screen lockout.  This discussion has re emerged for us as we roll out Sha=
repoint with Windows Authentication (rather than through an ISA server) whi=
ch will provide portals (without a second login/password requirement) into =
some applications which maintain sensitive data.  Is everyone using a 15 mi=
nute screen lockout?  Do you have Sharepoint? Browser timeout?

Todd A. Plesco=A0 CISM, CBCP
Chapman University, Director of Information Security
One University Drive, Orange, CA 92866
Phone: (714) 744-7979/Fax: (714) 744-7041


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LIS=
TSERV.EDUCAUSE.EDU] On Behalf Of Barros, Jacob
Sent: Thursday, June 11, 2009 12:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Timeout/Lockout Settings

15 minutes for us as well.  There are a few exceptions like an OU for
admissions counselors.  Lock it when you leave it is ideal. =20

Jacob Barros
Network Administrator
Grace College


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Richard
Sent: Wednesday, June 10, 2009 10:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Timeout/Lockout Settings

I am curious to know how other peer institutions are setting up their
timeout/lockout settings. =20

How are you enforcing the timeouts (pointsec, windows settings,
screensaver,etc)?

How long must the PC be inactive for the timeout setting to take effect?
Do
the time limits vary based on user?

Thanks all!

Adam Richard '05
IT Security Analyst/Operations Specialist

Messiah College
Hoffman 211
(717) 796-1800 x.6570

One College Ave.
Information Technology Services
Box 3055
Grantham, PA 17027

"ITS will never ask you for your password"

------------------------------

Date:    Fri, 27 Aug 2010 16:53:15 -0400
From:    "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Subject: Re: Lockout Settings

--_000_BF662A4EE06D844081EA3B2DB8CCF22B0AD16ACAE4SSUMPEXCLUS01_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

We use 15 as the default, but some areas are set to as little as 5 (health =
center, bursar, ect )

And controlled at the domain level so the user cannot disabled.

Good luck



-----Original Message-----
From: Radford, Jennifer [jradford () INTAUDIT UBC CA]
Received: 8/27/10 4:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU [SECURITY () LISTSERV EDUCAUSE EDU]
Subject: Re: [SECURITY] Lockout Settings

Hi Todd,

> From an internal audit perspective, screen lockouts should be risk based. O=
bviously they are more important depending on the type of data that is invo=
lved and that could potential by viewed / altered by unauthorised parties. =
Sounds like you are dealing with sensitive data but if any of this is regul=
ated data, e.g personally identifiable data, then this may raise the risk e=
ven higher.

Also, consideration should be given to what type of environment is in place=
, e.g. open plan versus closed locked offices.

Lastly, users should be educated on the security risks of leaving open scre=
ens unattended and policy should drive behaviour to get employees to 'cntl =
alt delete' before they leave their desk.

Once the above has been considered, management can make an informed decisio=
n about whether to set at 10, 15, 20 etc minutes before screen lock out.

Cheers,

Jen



Jennifer Radford, Senior IT Audit Manager
Internal Audit, UBC
6000 Iona Drive, Vancouver, BC Canada V6T 1L4
Phone:  604-822-6512
Fax:  604-822-9027
E-mail:  Jradford () intaudit ubc ca
Web:  www.intaudit.ubc.ca<http://www.intaudit.ubc.ca>
The information contained in this e-mail message is strictly confidential a=
nd intended solely for the use of the designated addressee(s). Any unauthor=
ized viewing, disclosure, copying or distribution of this e-mail is prohibi=
ted and may be unlawful. If you have received this e-mail in error, please =
do not read it, reply to the sender immediately to inform us that you are n=
ot the intended recipient, and delete the e-mail from your computer system.=
 Thank you.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LIS=
TSERV.EDUCAUSE.EDU] On Behalf Of Plesco, Todd
Sent: Friday, August 27, 2010 1:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Lockout Settings

I'd like to get everyone's feedback on their current enterprise settings fo=
r screen lockout.  This discussion has re emerged for us as we roll out Sha=
repoint with Windows Authentication (rather than through an ISA server) whi=
ch will provide portals (without a second login/password requirement) into =
some applications which maintain sensitive data.  Is everyone using a 15 mi=
nute screen lockout?  Do you have Sharepoint? Browser timeout?

Todd A. Plesco  CISM, CBCP
Chapman University, Director of Information Security
One University Drive, Orange, CA 92866
Phone: (714) 744-7979/Fax: (714) 744-7041


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LIS=
TSERV.EDUCAUSE.EDU] On Behalf Of Barros, Jacob
Sent: Thursday, June 11, 2009 12:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Timeout/Lockout Settings

15 minutes for us as well.  There are a few exceptions like an OU for
admissions counselors.  Lock it when you leave it is ideal.

Jacob Barros
Network Administrator
Grace College


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Richard
Sent: Wednesday, June 10, 2009 10:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Timeout/Lockout Settings

I am curious to know how other peer institutions are setting up their
timeout/lockout settings.

How are you enforcing the timeouts (pointsec, windows settings,
screensaver,etc)?

How long must the PC be inactive for the timeout setting to take effect?
Do
the time limits vary based on user?

Thanks all!

Adam Richard '05
IT Security Analyst/Operations Specialist

Messiah College
Hoffman 211
(717) 796-1800 x.6570

One College Ave.
Information Technology Services
Box 3055
Grantham, PA 17027

"ITS will never ask you for your password"

--_000_BF662A4EE06D844081EA3B2DB8CCF22B0AD16ACAE4SSUMPEXCLUS01_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html><head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<meta name=3D"Generator" content=3D"Microsoft Exchange Server">
<!-- converted from text -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left:=
 #800000 2px solid; } --></style></head>
<body>
<body style=3D"font-family:Arial,Helvetica,sans-serif; font-size:small; col=
or:black"><span style=3D"font-family:Arial,Helvetica,sans-serif; font-size:=
small; color:black">We use 15 as the default, but some areas are set to as =
little as 5 (health center, bursar, ect )<br><br>And controlled at the doma=
in level so the user cannot disabled.<br><br>Good luck<br><br></span><br><b=
r>-----Original Message----- <br><b>From:</b> Radford, Jennifer [jradford@I=
NTAUDIT.UBC.CA]<br><b>Received:</b> 8/27/10 4:47 PM<br><b>To:</b> SECURITY@=
LISTSERV.EDUCAUSE.EDU [SECURITY () LISTSERV EDUCAUSE EDU]<br><b>Subject:</b> R=
e: [SECURITY] Lockout Settings<br><br></body>
<font size=3D"2"><div class=3D"PlainText">Hi Todd,<br>
<br>
> From an internal audit perspective, screen lockouts should be risk based. O=
bviously they are more important depending on the type of data that is invo=
lved and that could potential by viewed / altered by unauthorised parties. =
Sounds like you are dealing with sensitive data but if any of this is regul=
ated data, e.g personally identifiable data, then this may raise the risk e=
ven higher.<br>
<br>
Also, consideration should be given to what type of environment is in place=
, e.g. open plan versus closed locked offices. <br>
<br>
Lastly, users should be educated on the security risks of leaving open scre=
ens unattended and policy should drive behaviour to get employees to 'cntl =
alt delete' before they leave their desk.<br>
<br>
Once the above has been considered, management can make an informed decisio=
n about whether to set at 10, 15, 20 etc minutes before screen lock out.<br=
>
<br>
Cheers,<br>
<br>
Jen<br>
<br>
<br>
<br>
Jennifer Radford, Senior IT Audit Manager<br>
Internal Audit, UBC<br>
6000 Iona Drive, Vancouver, BC Canada V6T 1L4<br>
Phone:&nbsp; 604-822-6512<br>
Fax:&nbsp; 604-822-9027<br>
E-mail:&nbsp; Jradford () intaudit ubc ca<br>
Web:&nbsp; <a href=3D"http://www.intaudit.ubc.ca";>www.intaudit.ubc.ca</a><b=
r>
The information contained in this e-mail message is strictly confidential a=
nd intended solely for the use of the designated addressee(s). Any unauthor=
ized viewing, disclosure, copying or distribution of this e-mail is prohibi=
ted and may be unlawful. If you have received this e-mail in error, please =
do not read it, reply to the sender immediately to inform us that you are n=
ot the intended recipient, and delete the e-mail from your computer system.=
 Thank you.<br>
<br>
-----Original Message-----<br>
From: The EDUCAUSE Security Constituent Group Listserv [<a href=3D"mailto:S=
ECURITY () LISTSERV EDUCAUSE EDU">mailto:SECURITY () LISTSERV EDUCAUSE EDU</a>] O=
n Behalf Of Plesco, Todd<br>
Sent: Friday, August 27, 2010 1:22 PM<br>
To: SECURITY () LISTSERV EDUCAUSE EDU<br>
Subject: [SECURITY] Lockout Settings<br>
<br>
I'd like to get everyone's feedback on their current enterprise settings fo=
r screen lockout.&nbsp; This discussion has re emerged for us as we roll ou=
t Sharepoint with Windows Authentication (rather than through an ISA server=
) which will provide portals (without a second login/password requirement) =
into some applications which maintain sensitive data.&nbsp; Is everyone usi=
ng a 15 minute screen lockout?&nbsp; Do you have Sharepoint? Browser timeou=
t?<br>
<br>
Todd A. Plesco&nbsp; CISM, CBCP<br>
Chapman University, Director of Information Security<br>
One University Drive, Orange, CA 92866<br>
Phone: (714) 744-7979/Fax: (714) 744-7041<br>
<br>
<br>
-----Original Message-----<br>
From: The EDUCAUSE Security Constituent Group Listserv [<a href=3D"mailto:S=
ECURITY () LISTSERV EDUCAUSE EDU">mailto:SECURITY () LISTSERV EDUCAUSE EDU</a>] O=
n Behalf Of Barros, Jacob<br>
Sent: Thursday, June 11, 2009 12:00 PM<br>
To: SECURITY () LISTSERV EDUCAUSE EDU<br>
Subject: Re: [SECURITY] Timeout/Lockout Settings<br>
<br>
15 minutes for us as well.&nbsp; There are a few exceptions like an OU for<=
br>
admissions counselors.&nbsp; Lock it when you leave it is ideal.&nbsp; <br>
<br>
Jacob Barros<br>
Network Administrator<br>
Grace College<br>
<br>
<br>
-----Original Message-----<br>
From: The EDUCAUSE Security Constituent Group Listserv<br>
[<a href=3D"mailto:SECURITY () LISTSERV EDUCAUSE EDU">mailto:SECURITY@LISTSERV=
.EDUCAUSE.EDU</a>] On Behalf Of Adam Richard<br>
Sent: Wednesday, June 10, 2009 10:35 AM<br>
To: SECURITY () LISTSERV EDUCAUSE EDU<br>
Subject: [SECURITY] Timeout/Lockout Settings<br>
<br>
I am curious to know how other peer institutions are setting up their<br>
timeout/lockout settings.&nbsp; <br>
<br>
How are you enforcing the timeouts (pointsec, windows settings,<br>
screensaver,etc)?<br>
<br>
How long must the PC be inactive for the timeout setting to take effect?<br=
>
Do<br>
the time limits vary based on user?<br>
<br>
Thanks all!<br>
<br>
Adam Richard '05<br>
IT Security Analyst/Operations Specialist<br>
<br>
Messiah College<br>
Hoffman 211<br>
(717) 796-1800 x.6570<br>
<br>
One College Ave.<br>
Information Technology Services<br>
Box 3055<br>
Grantham, PA 17027<br>
<br>
&quot;ITS will never ask you for your password&quot;<br>
</div></font>
</body>
</html>

--_000_BF662A4EE06D844081EA3B2DB8CCF22B0AD16ACAE4SSUMPEXCLUS01_--

------------------------------

Date:    Fri, 27 Aug 2010 15:53:32 -0500
From:    "Doty, Timothy T." <tdoty () MST EDU>
Subject: Re: Lockout Settings

This is a multipart message in MIME format.

------=_NextPart_000_02C0_01CB45FF.E79D16C0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I would just like to point out that "Windows Key-L" is faster and more
reliable than the ctrl-alt-del method.

I've had windows be sluggish about pulling up the dialog, and iffy for
catching the return key stroke -- all of which is significant if the
employee is in a hurry to leave.

Tim Doty

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Radford, Jennifer
> Sent: Friday, August 27, 2010 3:37 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Lockout Settings
> =20
> Hi Todd,
> =20
> From an internal audit perspective, screen lockouts should be risk
> based. Obviously they are more important depending on the type of data
> that is involved and that could potential by viewed / altered by
> unauthorised parties. Sounds like you are dealing with sensitive data
> but if any of this is regulated data, e.g personally identifiable =
data,
> then this may raise the risk even higher.
> =20
> Also, consideration should be given to what type of environment is in
> place, e.g. open plan versus closed locked offices.
> =20
> Lastly, users should be educated on the security risks of leaving open
> screens unattended and policy should drive behaviour to get employees
> to 'cntl alt delete' before they leave their desk.
> =20
> Once the above has been considered, management can make an informed
> decision about whether to set at 10, 15, 20 etc minutes before screen
> lock out.
> =20
> Cheers,
> =20
> Jen
> =20
> =20
> =20
> Jennifer Radford, Senior IT Audit Manager
> Internal Audit, UBC
> 6000 Iona Drive, Vancouver, BC Canada V6T 1L4
> Phone:  604-822-6512
> Fax:  604-822-9027
> E-mail:  Jradford () intaudit ubc ca
> Web:  www.intaudit.ubc.ca
> The information contained in this e-mail message is strictly
> confidential and intended solely for the use of the designated
> addressee(s). Any unauthorized viewing, disclosure, copying or
> distribution of this e-mail is prohibited and may be unlawful. If you
> have received this e-mail in error, please do not read it, reply to =
the
> sender immediately to inform us that you are not the intended
> recipient, and delete the e-mail from your computer system. Thank you.
> =20
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Plesco, Todd
> Sent: Friday, August 27, 2010 1:22 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Lockout Settings
> =20
> I'd like to get everyone's feedback on their current enterprise
> settings for screen lockout.  This discussion has re emerged for us as
> we roll out Sharepoint with Windows Authentication (rather than =
through
> an ISA server) which will provide portals (without a second
> login/password requirement) into some applications which maintain
> sensitive data.  Is everyone using a 15 minute screen lockout?  Do you
> have Sharepoint? Browser timeout?
> =20
> Todd A. Plesco=A0 CISM, CBCP
> Chapman University, Director of Information Security
> One University Drive, Orange, CA 92866
> Phone: (714) 744-7979/Fax: (714) 744-7041
> =20
> =20
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob
> Sent: Thursday, June 11, 2009 12:00 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Timeout/Lockout Settings
> =20
> 15 minutes for us as well.  There are a few exceptions like an OU for
> admissions counselors.  Lock it when you leave it is ideal.
> =20
> Jacob Barros
> Network Administrator
> Grace College
> =20
> =20
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Richard
> Sent: Wednesday, June 10, 2009 10:35 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Timeout/Lockout Settings
> =20
> I am curious to know how other peer institutions are setting up their
> timeout/lockout settings.
> =20
> How are you enforcing the timeouts (pointsec, windows settings,
> screensaver,etc)?
> =20
> How long must the PC be inactive for the timeout setting to take
> effect?
> Do
> the time limits vary based on user?
> =20
> Thanks all!
> =20
> Adam Richard '05
> IT Security Analyst/Operations Specialist
> =20
> Messiah College
> Hoffman 211
> (717) 796-1800 x.6570
> =20
> One College Ave.
> Information Technology Services
> Box 3055
> Grantham, PA 17027
> =20
> "ITS will never ask you for your password"

------=_NextPart_000_02C0_01CB45FF.E79D16C0
Content-Type: application/x-pkcs7-signature;
        name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIWXTCCBakw
ggUSoAMCAQICCibDMwUAAAAAN/gwDQYJKoZIhvcNAQEFBQAwcDETMBEGCgmSJomT8ixkARkWA2Vk
dTETMBEGCgmSJomT8ixkARkWA21zdDFEMEIGA1UEAxM7TWlzc291cmkgVW5pdmVyc2l0eSBvZiBT
Y2llbmNlIGFuZCBUZWNobm9sb2d5IEVudGVycHJpc2UgQ0EwHhcNMTAwNzIwMTMyNjQ3WhcNMTEw
NzIwMTMyNjQ3WjCBjjETMBEGCgmSJomT8ixkARkWA2VkdTETMBEGCgmSJomT8ixkARkWA21zdDER
MA8GA1UECxMIQWNjb3VudHMxFjAUBgNVBAsTDVN0YWZmLUZhY3VsdHkxGTAXBgNVBAMTEERvdHks
IFRpbW90aHkgVC4xHDAaBgkqhkiG9w0BCQEWDXRkb3R5QG1zdC5lZHUwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAK/VGBrpG9F0IDPaZxgXR6NiI+IhBYvglScDUK37o7L0LayFRW7bKYqrtVme
6kAWhs62056fpPlhnQ0kAfGUxr5/Xvm4cFoos/vRwurnDw1WueBvCaeG3Az3yd90nXHumOZ9FaXV
EnnVbPFWBFfp5mZuWQEL/3FEUDVw4qPE6Bh5AgMBAAGjggMpMIIDJTAdBgNVHQ4EFgQUQ39080Ji
8/9FJGozj8MMg4hEV/QwHwYDVR0jBBgwFoAUuiX3GekZ1b9PekOmmk3on4TEzTgwewYDVR0fBHQw
cjBwoG6gbIZqaHR0cDovL2NhLm1zdC5lZHUvQ2VydEVucm9sbC9NaXNzb3VyaSUyMFVuaXZlcnNp
dHklMjBvZiUyMFNjaWVuY2UlMjBhbmQlMjBUZWNobm9sb2d5JTIwRW50ZXJwcmlzZSUyMENBLmNy
bDCCAYYGCCsGAQUFBwEBBIIBeDCCAXQwge0GCCsGAQUFBzAChoHgbGRhcDovLy9DTj1NaXNzb3Vy
aSUyMFVuaXZlcnNpdHklMjBvZiUyMFNjaWVuY2UlMjBhbmQlMjBUZWNobm9sb2d5JTIwRW50ZXIt
Mjc5NjcsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9dW1hZCxEQz11bXN5c3RlbSxEQz1lZHU/Y0FDZXJ0aWZpY2F0ZT9iYXNl
P29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwgYEGCCsGAQUFBzAChnVodHRwOi8v
Y2EubXN0LmVkdS9DZXJ0RW5yb2xsL2NhLm1zdC5lZHVfTWlzc291cmklMjBVbml2ZXJzaXR5JTIw
b2YlMjBTY2llbmNlJTIwYW5kJTIwVGVjaG5vbG9neSUyMEVudGVycHJpc2UlMjBDQS5jcnQwFwYJ
KwYBBAGCNxQCBAoeCABVAHMAZQByMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgWgMCkGA1UdJQQi
MCAGCisGAQQBgjcKAwQGCCsGAQUFBwMEBggrBgEFBQcDAjA3BgNVHREEMDAuoB0GCisGAQQBgjcU
AgOgDwwNdGRvdHlAbXN0LmVkdYENdGRvdHlAbXN0LmVkdTBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqG
SIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwDQYJKoZIhvcN
AQEFBQADgYEAKXZfKXa2rEHqY68pUYMatkkDG9sTkd1ZH6a/6lvmQ2EjJy799ZxEE9sqtJG/kV7y
915Gf6kW5PliOwiHibWQ/8Lfvpm65MK0S2Pc6/zpvQ43n01WphjY45pn1qXX+kjD80sW3/nqmW0R
9Yrl4yFEev6NqHhioA9PRHxv+nNYP54wggcnMIIFD6ADAgECAhAqJo03DA4ihEPnGCSLFa2+MA0G
CSqGSIb3DQEBBAUAMIHFMR4wHAYJKoZIhvcNAQkBFg9jYUB1bXN5c3RlbS5lZHUxCzAJBgNVBAYT
AlVTMREwDwYDVQQIEwhNaXNzb3VyaTERMA8GA1UEBxMIQ29sdW1iaWExHzAdBgNVBAoTFlVuaXZl
cnNpdHkgb2YgTWlzc291cmkxHzAdBgNVBAsTFkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxLjAsBgNV
BAMTJVVuaXZlcnNpdHkgb2YgTWlzc291cmkgUm9vdCBBdXRob3JpdHkwHhcNMDEwMTA4MTQ0NTM3
WhcNMjQxMjMxMTQ0NTM3WjCBxTEeMBwGCSqGSIb3DQEJARYPY2FAdW1zeXN0ZW0uZWR1MQswCQYD
VQQGEwJVUzERMA8GA1UECBMITWlzc291cmkxETAPBgNVBAcTCENvbHVtYmlhMR8wHQYDVQQKExZV
bml2ZXJzaXR5IG9mIE1pc3NvdXJpMR8wHQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MS4w
LAYDVQQDEyVVbml2ZXJzaXR5IG9mIE1pc3NvdXJpIFJvb3QgQXV0aG9yaXR5MIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAzBvYya8N/FVIPNkoecxC07okgfeMIB7gr4rTicg+ZlAmHodU
uCBbXLqElNV+MVqRMdxAus0Vd7IU67qEOzHa070GihlO/EG+1u5xSdktQQWlgxAWI7r2AKiIHmbm
xMuD487wVCDZalLUyrQhkTLTZIZgEIvBL+sbZ+Dh6mPCYR67tJ3V/IJVyc6FzDWVu+5kF8PuyG8W
jX2FZsT9AvzHxw2tlWJsTBPS5dSLfnLB5fvjbvGt5FKYDRmqKHJFcgu8xkzvFUFbbdljJgepgV0a
qhmzRgZZ5rW+8R/sDJqT5Ve2X2bTsaRbrAHmMzpCt+ZdvMGpoQBOMEUqBG74QZTZLmujL20ZIOrE
WnWktY6btoMECU/EYmEJQEJ3jw6Ng/92fX6D+djqeRSrJ+OZNmaXx1UN/cUskKGfGq4yH8b1cea+
FRCMtWo97yd5d+hux6yvL7Q3UFQTxvSp81PJ0UqgVQ4D2tdz8z2WH5H+P3xBsG4+W8yl8aY2Qw/W
aaDI9FIB9mlmI+JUe/p9BUBSix4HzOS1lEUpPyMgc133KjLdyIRU79BrOmFQK23UNo8eTU4gdZW+
e1Ue+8/I4VqKRkglMob2WLBD+lHN2Fvx9oZG9aXldub1j9UB1f5qQCJdq+jyv1tBhZmE7UKcgn9W
jHzRAFRu9UC3y1sAy9UjOAxYoukCAwEAAaOCAQ8wggELMAsGA1UdDwQEAwIBxjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBTA7vQakS5W9INZVV54GT7+GBNFwzCBuQYDVR0fBIGxMIGuMFSgUqBQ
hk5odHRwOi8vdW0tcm9vdC1jYS9DZXJ0RW5yb2xsL1VuaXZlcnNpdHklMjBvZiUyME1pc3NvdXJp
JTIwUm9vdCUyMEF1dGhvcml0eS5jcmwwVqBUoFKGUGZpbGU6Ly9cXFVNLVJPT1QtQ0FcQ2VydEVu
cm9sbFxVbml2ZXJzaXR5JTIwb2YlMjBNaXNzb3VyaSUyMFJvb3QlMjBBdXRob3JpdHkuY3JsMBAG
CSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBAUAA4ICAQC3XyqXRvwF5STq9vPJ+aqGHy6IGj9T
4hx39kow+H89kU7au2WmhKT0jhPoDwjE0u5O2nU016NTkmGKSwp+mNpNjYvs9+49VUGJ4EuY5IbS
jAX5qRvu/mguxaYbJKrcC8wl84KcK6QkBd+gHpAjPfASW9Unq8Wae/c8/uYKpWGxg83gVNc0RwBT
hMWAFRLEbFEnwiwo3MB1MXi5pjbpqxAEJ2pHWma+JjuBrrBqzXgroqLX3M5a/4ZzVxbDJolE+7jS
UMT6wfCLfsr8azez5JpaNEMRf1qB5h7cnNAaOvxfOk1lkHJT5qbqGCjKXQP27p96J+RhYDiNs6Nt
fBDKfLT7bs8hWR4In2ABKk58+uoyPBfxZ4zEx/UZfkR0iit7bVF3qNIuvwJQImfKrmy/RaCionv9
JTy/TnaRQlC+j+W1aLTS6r8qQygZrbK50OJF5o5QA9UnUMng6qfv13PfM32zstykcA2qNbZZ7ajH
Geb90Iikdn66eMg8OUOh+ulGPFSTN01G/W2EkO+vP2E4SRhvHJElGMasmpWPXFRNXIDVWLC0R7kJ
+fjRTCehvtypClensQjipMHUtL1JNdNGHOBE8RZz/URF4s82zOUWPfCQAYU3V1Am8qlCocjDOMeh
23WXkZfajstzbySx9aVafttdv/SyagvfUrxZUwfuZWHodjCCCYEwggdpoAMCAQICCnIM6fEAAAAA
AB0wDQYJKoZIhvcNAQEEBQAwgcUxHjAcBgkqhkiG9w0BCQEWD2NhQHVtc3lzdGVtLmVkdTELMAkG
A1UEBhMCVVMxETAPBgNVBAgTCE1pc3NvdXJpMREwDwYDVQQHEwhDb2x1bWJpYTEfMB0GA1UEChMW
VW5pdmVyc2l0eSBvZiBNaXNzb3VyaTEfMB0GA1UECxMWSW5mb3JtYXRpb24gVGVjaG5vbG9neTEu
MCwGA1UEAxMlVW5pdmVyc2l0eSBvZiBNaXNzb3VyaSBSb290IEF1dGhvcml0eTAeFw0wNzEyMTgx
NDEyMjlaFw0xNzEyMTgxNDIyMjlaMHAxEzARBgoJkiaJk/IsZAEZFgNlZHUxEzARBgoJkiaJk/Is
ZAEZFgNtc3QxRDBCBgNVBAMTO01pc3NvdXJpIFVuaXZlcnNpdHkgb2YgU2NpZW5jZSBhbmQgVGVj
aG5vbG9neSBFbnRlcnByaXNlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBvYxu8YLs
b2tA0Ki9PY1KIaNRZJiXYPJow4RLC+XOoxULG87Bsy20YfQuzUMwWJGK5ikoULdF/TyHf7vYKoOf
7uLF9IYBNoY8bYbMCYChRKySZT7CjG8mzNSe8KE90ZxjCa7U0N817uWKz1jYjfLtuhygr0aX/Kpf
pfxa+bAdjwIDAQABo4IFSTCCBUUwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUuiX3GekZ1b9P
ekOmmk3on4TEzTgwCwYDVR0PBAQDAgGGMBAGCSsGAQQBgjcVAQQDAgEAMBkGCSsGAQQBgjcUAgQM
HgoAUwB1AGIAQwBBMB8GA1UdIwQYMBaAFMDu9BqRLlb0g1lVXngZPv4YE0XDMIICXAYDVR0fBIIC
UzCCAk8wggJLoIICR6CCAkOGgeBsZGFwOi8vL0NOPVVuaXZlcnNpdHklMjBvZiUyME1pc3NvdXJp
JTIwUm9vdCUyMEF1dGhvcml0eSxDTj1VTS1ST09ULUNBLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl
MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXVtYWQsREM9dW1zeXN0
ZW0sREM9ZWR1P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxE
aXN0cmlidXRpb25Qb2ludIaB/GxkYXA6Ly8vdW1hZC1kYzAxLnVtYWQudW1zeXN0ZW0uZWR1L0NO
PVVuaXZlcnNpdHklMjBvZiUyME1pc3NvdXJpJTIwUm9vdCUyMEF1dGhvcml0eSxDTj1VTS1ST09U
LUNBLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m
aWd1cmF0aW9uLERDPXVtYWQsREM9dW1zeXN0ZW0sREM9ZWR1P2NlcnRpZmljYXRlUmV2b2NhdGlv
bkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIZfaHR0cDovL3VtYWQt
ZGMwMS51bWFkLnVtc3lzdGVtLmVkdS9DZXJ0RW5yb2xsL1VuaXZlcnNpdHklMjBvZiUyME1pc3Nv
dXJpJTIwUm9vdCUyMEF1dGhvcml0eS5jcmwwggJWBggrBgEFBQcBAQSCAkgwggJEMIHVBggrBgEF
BQcwAoaByGxkYXA6Ly8vQ049VW5pdmVyc2l0eSUyMG9mJTIwTWlzc291cmklMjBSb290JTIwQXV0
aG9yaXR5LENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPXVtYWQsREM9dW1zeXN0ZW0sREM9ZWR1P2NBQ2VydGlmaWNhdGU/YmFz
ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MIHxBggrBgEFBQcwAoaB5GxkYXA6
Ly8vdW1hZC1kYzAxLnVtYWQudW1zeXN0ZW0uZWR1L0NOPVVuaXZlcnNpdHklMjBvZiUyME1pc3Nv
dXJpJTIwUm9vdCUyMEF1dGhvcml0eSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz11bWFkLERDPXVtc3lzdGVtLERDPWVkdT9j
QUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTB2Bggr
BgEFBQcwAoZqaHR0cDovL3VtYWQtZGMwMS51bWFkLnVtc3lzdGVtLmVkdS9DZXJ0RW5yb2xsL3Vt
LXJvb3QtY2FfVW5pdmVyc2l0eSUyMG9mJTIwTWlzc291cmklMjBSb290JTIwQXV0aG9yaXR5LmNy
dDANBgkqhkiG9w0BAQQFAAOCAgEAutVV5zAU9bA4KJL5fO5w48BMsHUh7FOJUZuWHb0EsEQu8nZ5
VGZ4Oq2EHkm3dxcSZAo7DFIpwrUDQG/gSYSma19Er9lOHjles2SdzXqUvN5XFMuvJN7dvw0tI5qK
04r+tosN2xCFrTesOcugjzzl/ESdBxdN8BffX28vpysrWZzKbjASua8/Z/N+W43YxenSqgQdkviy
br13GkeS/7bRMUDfWxjTz8dBIr7LNRF4Yz2aBEoA3YM7Q85mw1vAVXxHe3G/0jX6MYYzk6fHzbKi
JObs+5Qe96JcrMJ1MtyGG++Og93jDZ9o4MGudeGIs0U9tplHJwYLmoU5o/foc6IOYKLvRJCDBHN1
iqZNBIfMJz7PjyahsJgUZ7SwtiOsgwzoy2R5ww88ZQeJS4yKqNDcrAuzpEhyczGyH0EbSesXCY3J
isTH7i5QhAGUYmTp30tIj8eGTyxQHkBEkhGr39si5r+boqW/4b0s9+zFBjnY61CDwccy1i290pTw
mMVohW0mTxtsuHLFxjtpMt77GpSnanE3+lpxFYVajjvqyK1NxFG2rNc7PaLzTD71Vb8lXOVdqUg6
kQZAdH5Ltx+idITz+ersaQ7k/cRcqX1PmpeeyygAouZj8paM2ttWnQPBiVfueUnsxC4UhZX328Fd
2yidSFbXmxLi6rs94lDI+IDzbtUxggMSMIIDDgIBATB+MHAxEzARBgoJkiaJk/IsZAEZFgNlZHUx
EzARBgoJkiaJk/IsZAEZFgNtc3QxRDBCBgNVBAMTO01pc3NvdXJpIFVuaXZlcnNpdHkgb2YgU2Np
ZW5jZSBhbmQgVGVjaG5vbG9neSBFbnRlcnByaXNlIENBAgomwzMFAAAAADf4MAkGBSsOAwIaBQCg
ggHqMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEwMDgyNzIwNTI1
MVowIwYJKoZIhvcNAQkEMRYEFE565ucVDapZcYfIy4jy91n8RM13MGcGCSqGSIb3DQEJDzFaMFgw
CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqG
SIb3DQMCAgEoMAcGBSsOAwIaMAoGCCqGSIb3DQIFMIGOBgkrBgEEAYI3EAQxgYAwfjBwMRMwEQYK
CZImiZPyLGQBGRYDZWR1MRMwEQYKCZImiZPyLGQBGRYDbXN0MUQwQgYDVQQDEztNaXNzb3VyaSBV
bml2ZXJzaXR5IG9mIFNjaWVuY2UgYW5kIFRlY2hub2xvZ3kgRW50ZXJwcmlzZSBDQQIKJsMzBQAA
AAA3+DCBkAYLKoZIhvcNAQkQAgsxgYCgfjBwMRMwEQYKCZImiZPyLGQBGRYDZWR1MRMwEQYKCZIm
iZPyLGQBGRYDbXN0MUQwQgYDVQQDEztNaXNzb3VyaSBVbml2ZXJzaXR5IG9mIFNjaWVuY2UgYW5k
IFRlY2hub2xvZ3kgRW50ZXJwcmlzZSBDQQIKJsMzBQAAAAA3+DANBgkqhkiG9w0BAQEFAASBgKbd
q4icKuL6R9IzycEMlU1gm6/kJeezd1wJyRpn54jdPY0Ho3TuNt6cr6WF6Xl2Q0qHy7VA1tjx4xNV
GmPz2XxYoszvIuJYeHPePe9eIAM59yqorZuHGDztGGQsxUtVZNgCqeb/sUQr3tERhcO9zrqCynWv
kZ+bUioB53Yax/jpAAAAAAAA

------=_NextPart_000_02C0_01CB45FF.E79D16C0--

------------------------------

Date:    Fri, 27 Aug 2010 16:59:42 -0500
From:    "McCrary, Barbara" <bmccrary () OGSLP ORG>
Subject: Re: Lockout Settings

AGREED=20


Barbara McCrary=20
Chief Information Security Officer
MCSE, MCSE:Security, +Messaging, CompTia:Security+

bmccrary () ogslp org

Oklahoma State Regents for Higher Education
421 NW 13th, Ste 250=20
Oklahoma City, OK  73103=20
405 234.4316 office=20
405 234.4321 cell=20
405 234.4588 fax

Note:  This communication and attachments, if any, are intended solely =
for the use of the addressee hereof.  In addition, this information and =
attachments, if any, may contain information that is confidential, =
privileged and exempt from disclosure under applicable law, including, =
but not limited to, the Privacy Act of 1974.  If you are not the =
intended recipient of this information, you are prohibited from reading, =
disclosing, reproducing, distributing, disseminating, or otherwise using =
this information.  If you have received this message in error, please =
promptly notify the sender and immediately, delete this communication =
from your system.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv =
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Doty, Timothy T.
Sent: Friday, August 27, 2010 3:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Lockout Settings

I would just like to point out that "Windows Key-L" is faster and more =
reliable than the ctrl-alt-del method.

I've had windows be sluggish about pulling up the dialog, and iffy for =
catching the return key stroke -- all of which is significant if the =
employee is in a hurry to leave.

Tim Doty

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv=20
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Radford, Jennifer
> Sent: Friday, August 27, 2010 3:37 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Lockout Settings
> =20
> Hi Todd,
> =20
> From an internal audit perspective, screen lockouts should be risk=20
> based. Obviously they are more important depending on the type of data =

> that is involved and that could potential by viewed / altered by=20
> unauthorised parties. Sounds like you are dealing with sensitive data=20
> but if any of this is regulated data, e.g personally identifiable=20
> data, then this may raise the risk even higher.
> =20
> Also, consideration should be given to what type of environment is in=20
> place, e.g. open plan versus closed locked offices.
> =20
> Lastly, users should be educated on the security risks of leaving open =

> screens unattended and policy should drive behaviour to get employees=20
> to 'cntl alt delete' before they leave their desk.
> =20
> Once the above has been considered, management can make an informed=20
> decision about whether to set at 10, 15, 20 etc minutes before screen=20
> lock out.
> =20
> Cheers,
> =20
> Jen
> =20
> =20
> =20
> Jennifer Radford, Senior IT Audit Manager Internal Audit, UBC 6000=20
> Iona Drive, Vancouver, BC Canada V6T 1L4
> Phone:  604-822-6512
> Fax:  604-822-9027
> E-mail:  Jradford () intaudit ubc ca
> Web:  www.intaudit.ubc.ca
> The information contained in this e-mail message is strictly=20
> confidential and intended solely for the use of the designated=20
> addressee(s). Any unauthorized viewing, disclosure, copying or=20
> distribution of this e-mail is prohibited and may be unlawful. If you=20
> have received this e-mail in error, please do not read it, reply to=20
> the sender immediately to inform us that you are not the intended=20
> recipient, and delete the e-mail from your computer system. Thank you.
> =20
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv=20
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Plesco, Todd
> Sent: Friday, August 27, 2010 1:22 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Lockout Settings
> =20
> I'd like to get everyone's feedback on their current enterprise=20
> settings for screen lockout.  This discussion has re emerged for us as =

> we roll out Sharepoint with Windows Authentication (rather than=20
> through an ISA server) which will provide portals (without a second=20
> login/password requirement) into some applications which maintain=20
> sensitive data.  Is everyone using a 15 minute screen lockout?  Do you =

> have Sharepoint? Browser timeout?
> =20
> Todd A. Plesco=A0 CISM, CBCP
> Chapman University, Director of Information Security One University=20
> Drive, Orange, CA 92866
> Phone: (714) 744-7979/Fax: (714) 744-7041
> =20
> =20
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv=20
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob
> Sent: Thursday, June 11, 2009 12:00 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Timeout/Lockout Settings
> =20
> 15 minutes for us as well.  There are a few exceptions like an OU for=20
> admissions counselors.  Lock it when you leave it is ideal.
> =20
> Jacob Barros
> Network Administrator
> Grace College
> =20
> =20
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv=20
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Richard
> Sent: Wednesday, June 10, 2009 10:35 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Timeout/Lockout Settings
> =20
> I am curious to know how other peer institutions are setting up their=20
> timeout/lockout settings.
> =20
> How are you enforcing the timeouts (pointsec, windows settings,=20
> screensaver,etc)?
> =20
> How long must the PC be inactive for the timeout setting to take=20
> effect?
> Do
> the time limits vary based on user?
> =20
> Thanks all!
> =20
> Adam Richard '05
> IT Security Analyst/Operations Specialist
> =20
> Messiah College
> Hoffman 211
> (717) 796-1800 x.6570
> =20
> One College Ave.
> Information Technology Services
> Box 3055
> Grantham, PA 17027
> =20
> "ITS will never ask you for your password"

------------------------------

End of SECURITY Digest - 26 Aug 2010 to 27 Aug 2010 (#2010-182)
***************************************************************