Educause Security Discussion mailing list archives
Password Reset Policy?
From: Russ Leathe <Russ.Leathe () GORDON EDU>
Date: Mon, 13 Jan 2014 19:25:08 +0000
We recently made everyone change their password (every 6 months). It just so happened it fell on semester break (Christmas Break). We had a large quantity of foreign students who did not have Internet Access and thus could not use our password reset page. We did our best to identify the student - but I'm fearful of resetting someones password to a default and not have them be who they say they are (identity fraud). Do you have a password reset policy in place? I was going to ask for their challenge and response question and the last four digits of their ss number. I would like the to identify themselves before... By going to a major city, they have cell coverage and can check their email on their smartphone, but resetting their email can only be done via the portal. Any help would be welcome! Russ Leathe InfoSec Gordon Collegr -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harry Hoffman Sent: Monday, January 13, 2014 2:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Encryption of exam papers We have a similar service called, SecureShare that was developed in house. We also don't recommend folks use dropbox but the unversity has entered into a contract with Box in which there are audit logs that can be examined (via request). It's a nice trade-off and Box is supposedly willing to sign a BAA for HIPPA compliance, although we're not there yet so don't recommend storing HIPAA regulated data outside of our protected systems. Cheers, Harry On 01/13/2014 01:45 PM, Kees Leune wrote:
The product is available to all users. Because we suspected that people might be using it to transfer sensitive information, we're keeping detailed logs, limiting the time that the message is exposed, and are running everything physically in-house using official SSL certs. As sub-optimal as it is, I'd still rather have people use "stuff" that we can see, instead of seemingly free services like dropbox. -Kees *Dr. Kees Leune* Information Security Officer Adelphi University Garden City, NY +1 (516) 877-3936 On Mon, Jan 13, 2014 at 10:42 AM, Semmens, Theresa <theresa.semmens () ndsu eduwrote:Kees, At your institution, who is using the product? Is it just for exam papers, or do you use it for anything other protected data? Theresa Theresa Semmens, CISA NDSU Chief IT Security Officer Office: 210D IACC Mail: NDSU Dept 4500 PO Box 6050 Fargo, ND 58108-6050 P: 701-231-5870 F: 701-231-8541 E: Theresa.Semmens () ndsu edu www.ndsu.edu/its/security *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Kees Leune *Sent:* Monday, January 13, 2014 7:48 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Encryption of exam papers We recently deployed FileSender, a Free Open Source Project sponsored by many of the European REN's. See https://www.assembla.com/spaces/file_sender/wiki for more detail. *Dr. Kees Leune* Information Security Officer Adelphi University Garden City, NY +1 (516) 877-3936 On Mon, Jan 13, 2014 at 4:48 AM, Eoin Dunne <eoin.dunne () dit ie> wrote: Hello Everyone, I’m trying to find some best practices for securely distributing exam papers between Faculty and the Exams office. While the academics’ laptops are encrypted, it’s the unsecure circulation that creates a risk and I was wondering what approaches were being taken elsewhere. Many thanks for all your help, Eoin. -- *Eoin Dunne* IT Compliance Officer, Information Services Department, Dublin Institute of Technology, 143 Lower Rathmines Road, Dublin 6, Ireland. ( +353-1-402 3453 (direct line) * eoin.dunne () dit ie i www.dit.ie
Current thread:
- Password Reset Policy? Russ Leathe (Jan 13)
- Re: Password Reset Policy? Roger A Safian (Jan 13)
- Re: Password Reset Policy? Russell Fulton (Jan 18)
- Re: Password Reset Policy? Roger A Safian (Jan 13)