Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Password Reset Policy?

From: Russ Leathe <Russ.Leathe () GORDON EDU>
Date: Mon, 13 Jan 2014 19:25:08 +0000
We recently made everyone change their password (every 6 months).  It just so happened it fell on semester break 
(Christmas Break).  We had a large quantity of foreign students who did not have Internet Access and thus could not use 
our password reset page. We did  our best to identify the student - but I'm fearful of resetting someones password to a 
default and not have them be who they say they are (identity fraud). Do you have a password reset policy in place?   I 
was going to ask for their challenge and response question and the last four digits of their ss number.  I would like 
the to identify themselves before...

By going to a major city, they have cell coverage and can  check their email on their smartphone,  but resetting their 
email can only be done via the portal.


Any help would be welcome!

Russ Leathe
InfoSec
Gordon Collegr

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harry 
Hoffman
Sent: Monday, January 13, 2014 2:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Encryption of exam papers

We have a similar service called, SecureShare that was developed in house.

We also don't recommend folks use dropbox but the unversity has entered into a contract with Box in which there are 
audit logs that can be examined (via request).

It's a nice trade-off and Box is supposedly willing to sign a BAA for HIPPA compliance, although we're not there yet so 
don't recommend storing HIPAA regulated data outside of our protected systems.

Cheers,
Harry


On 01/13/2014 01:45 PM, Kees Leune wrote:

The product is available to all users. Because we suspected that 
people might be using it to transfer sensitive information, we're 
keeping detailed logs, limiting the time that the message is exposed, 
and are running everything physically in-house using official SSL certs.

As sub-optimal as it is, I'd still rather have people use "stuff" that 
we can see, instead of seemingly free services like dropbox.

-Kees

*Dr. Kees Leune*
Information Security Officer
Adelphi University
Garden City, NY
+1 (516) 877-3936


On Mon, Jan 13, 2014 at 10:42 AM, Semmens, Theresa 
<theresa.semmens () ndsu edu

wrote:



 Kees,



At your institution, who is using the product?  Is it just for exam 
papers, or do you use it for anything other protected data?



Theresa



Theresa Semmens, CISA

NDSU Chief IT Security Officer

Office: 210D IACC

Mail: NDSU Dept 4500

PO Box 6050

Fargo, ND 58108-6050

P: 701-231-5870

F: 701-231-8541

E: Theresa.Semmens () ndsu edu

www.ndsu.edu/its/security



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Kees Leune
*Sent:* Monday, January 13, 2014 7:48 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Encryption of exam papers



We recently deployed FileSender, a Free Open Source Project sponsored 
by many of the European REN's. See 
https://www.assembla.com/spaces/file_sender/wiki for more detail.


  *Dr. Kees Leune*

Information Security Officer

Adelphi University
Garden City, NY
+1 (516) 877-3936



On Mon, Jan 13, 2014 at 4:48 AM, Eoin Dunne <eoin.dunne () dit ie> wrote:

 Hello Everyone,



I’m trying to find some best practices for securely distributing exam 
papers between Faculty and the Exams office. While the academics’ 
laptops are encrypted, it’s the unsecure circulation that creates a 
risk and I was wondering what approaches were being taken elsewhere.



Many thanks for all your help,



Eoin.



--

*Eoin Dunne*

IT Compliance Officer,

Information Services Department,

Dublin Institute of Technology,

143 Lower Rathmines Road, Dublin 6, Ireland.

( +353-1-402 3453 (direct line)
* eoin.dunne () dit ie
i www.dit.ie
Previous By Date Next
Previous By Thread Next

Current thread: