Re: Password Management Policy & Standards

[Kevin Reedy <KReedy () EXCELSIOR EDU>]

We currently are at 90 day expiration for staff and faculty, based
primarily upon PCI.  Now that we have gone card not present, SAQ-A I'm
toying with the idea of bringing it out to 6 months and increasing the
minimum length.

Students do not have to change their passwords.  Occasionally we find a
student credential in a pony dump and we simply lock the account, without
even checking the password.  This seems to be pretty standard for all non
financial internet sites, Google may encourage me to change my password
from time to time, but they don't require it unless they have a confirmed
breach.  Same with Amazon, Ebay, the list goes on.  From an institutional
risk standpoint a compromised student account doesn't give them much even
on the individual student.

I also agree with what has been stated, forced password rotation has been
considered a best practice for a long time, but provides minimal added
security.

-Kevin

Kevin Reedy
Executive Director, Information Security
Excelsior College
(518) 464-8720



From:   Carlos Lobato <clobato () NMSU EDU>
To:     SECURITY () LISTSERV EDUCAUSE EDU,
Date:   02/26/2016 10:34 AM
Subject:        [SECURITY] Password Management Policy & Standards
Sent by:        The EDUCAUSE Security Constituent Group Listserv
            <SECURITY () LISTSERV EDUCAUSE EDU>



All,

I highly appreciate the discussion regarding this topic and would highly
appreciate to hear from you more on the specifics of how are you addressing
the frequency of changing passwords?

Additionally, if you are changing your passwords, is this requirement
applicable to all types of accounts including service accounts, highly
privileged accounts, student accounts, ect.?

If you are not changing your passwords at all, please let me know as well
as including your reasoning.

Carlos

From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carlos Lobato
Sent: Wednesday, February 24, 2016 5:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password Management Policy & Standards

Hello Colleagues,

I'm working on promoting institutional compliance with our current password
policy, which requires regular password changes every 120 days for all
accounts.

However, I would like to know if some of you have created a table or matrix
listing all of your type of accounts and if password expiration dates vary
depending on the type of account, which would be based on risk.

If you have a listing, I would highly appreciate a link or a copy to your
document.  I am using various resources including the NIST SP 800-118 and I
can share with the group after I finish my analysis and potentially
re-write our current NMSU password policy to make more realistic.

Thank you so much for any input that you may have.

Carlos,

Carlos S. Lobato, CISA, CISSP, CPA
IT Compliance Officer

New Mexico State University
Information and Communication Technologies
MSC 3AT PO Box 30001
Las Cruces, NM  88003

Phone (575) 646-5902
Fax (575) 646-5278


This message and any attachments contain confidential Excelsior College information intended for the specific 
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.