Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Centralized Password Management

From: Brad Judy <brad.judy () CU EDU>
Date: Fri, 15 Dec 2017 16:32:17 +0000
Nick,

Is any evidence required for WCAG conformance?  I’ve seen plenty of sales folks who nod their heads and even sign the 
contracts, but have no idea what it really means and have never had any assessments performed.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[u-logo_fl]



From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Nick Lewis <nlewis () INTERNET2 EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Friday, December 15, 2017 at 7:39 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Centralized Password Management

Hi Brad,

Sorry for the confusion. When I said 508 compliance, what we include in the template contract is:

“all federal disability laws, including Section 508 of the Rehabilitation Act, and will also remain in conformance with 
Level AAA of the W3C Web Content Accessibility Guidelines 2.0.”

What we end up in a final agreement is dependent on what the service validation group thinks is necessary and the 
service provider can agree to do, so if we get AA vs AAA will depend on this aspect of validation.

Thanks,

Nick


From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Brad Judy 
<brad.judy () CU EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, December 14, 2017 at 5:06 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Centralized Password Management

Like many other EDUs, the accessibility standard we look for with third-party service providers is WCAG 2.0 AA. It 
would be great if I2 used a standard like this during all of their Net+ negotiations.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[logo_fl]



From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Nick Lewis <nlewis () INTERNET2 EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, December 14, 2017 at 2:18 PM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Centralized Password Management

Hi everyone,

I checked with LastPass for an update from when we last discussed this with them. We discussed 508 compliance with 
LastPass during the NET+ service validation and periodically since.

LastPass does not have a VPAT at this time, but does continue to develop consistent with the W3C guidelines and they 
believe themselves to be 508 and W3C compliant.  They have blind users using LastPass through JAWS, and are open to any 
improvements or working directly with any users experiencing issues.

We’ll continue to work with them and please let us know if you have any questions about the NET+ LastPass program.

Thanks,

Nick


Nick Lewis, MS, MA, CISSP
Program Manager, Security and Identity
Internet2
nlewis () internet2 edu



From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Tom Horton 
<horton () CORNELL EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, December 12, 2017 at 12:13 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Centralized Password Management


Hi Theresa - When we selected LastPass we asked them for a VPAT and they were not able to provide one. Perhaps we can 
ask as a group?

________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Theresa Rowe 
<rowe () OAKLAND EDU>
Sent: Tuesday, December 12, 2017 9:28:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Centralized Password Management

Has LastPass or any similar tool been able to provide a VPAT or similar documentation for accessibility compliance?

Theresa Rowe

Theresa Rowe
Chief Information Officer
Oakland University


On Thu, Dec 7, 2017 at 8:03 PM, Shelton Waggener <swaggener () internet2 edu<mailto:swaggener () internet2 edu>> wrote:
All,
Yes there is a lastpass program with Internet2. We have also been working with them on how to accelerate adoption for 
campuses as more institution are tackling this particular challenge.  Nick Lewis heads up that effort and will respond 
to any requests to netplus () internet2 edu<mailto:netplus () internet2 edu> or feel free to reach out to him directly 
at nlewis () internet2 edu<mailto:nlewis () internet2 edu>

Best
Shel Waggener


On 12/7/17, 3:58 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Shen, Philip *HS" <SECURITY () 
LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> on behalf of PS7XJ () HSCMAIL MCC VIRGINIA 
EDU<mailto:PS7XJ () HSCMAIL MCC VIRGINIA EDU>> wrote:

    If I'm not mistaken  Internet2 has a deal with lastpass

    https://www.internet2.edu/products-services/cloud-services-applications/lastpass/



    Phil

    ________________________________
    From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>> on behalf of Shawn Kohrman <skohrman () APU EDU<mailto:skohrman () APU EDU>>
    Sent: Thursday, December 7, 2017 5:18 PM
    To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
    Subject: Re: [SECURITY] Centralized Password Management

    We're using Lastpass Enterprise and are liking it.

    -----
    Shawn A. Kohrman, CISSP, C|EH, CPT
    Executive Director, Information Services
    Security Architect

    Azusa Pacific University
    Information & Media Technology
    901 E. Alosta Ave., PO Box 7000
    Azusa, CA 91702-7000

    P:  626.815.2054 | F:  626.815.2061 | http://security.apu.edu/
    -----

    On Thu, Dec 7, 2017 at 2:00 PM, Madl, Michael <michael.madl () indwes edu<mailto:michael.madl () indwes 
edu><mailto:michael.madl () indwes edu<mailto:michael.madl () indwes edu>>> wrote:

    Interested in what vendor app the community may be using for centralizing passwords.  I have looked at several 
products and ran across a fairly straight forward and inexpensive one in TeamsID.



    Appreciate the feedback in advance!



    MICHAEL MADL
    INFORMATION SECURITY OFFICER
    UNIVERSITY INFORMATION TECHNOLOGY

    INDIANA WESLEYAN UNIVERSITY
    4201 SOUTH WASHINGTON 
STREET<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>
    MARION, IN 
46953<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>

    765.677.2688<tel:(765)%20677-2688>   |   765.677.2020<tel:(765)%20677-2020> FAX
    michael.madl () indwes edu<mailto:michael.madl () indwes edu><mailto:mike.madl () indwes edu<mailto:mike.madl () 
indwes edu>>

    INDWES.EDU/IT<http://INDWES.EDU/IT><http://indwes.edu/IT>

    [cid:image001.jpg@01D3436E.D1E0F1C0]

    CONFIDENTIALITY NOTICE: This email, including applicable attachments, may include legally protected information.  
If you are not the intended recipient of this message, you may not disclose, print, copy, save, or disseminate this 
information. If you have received this email in error, please notify the sender by replying to this message and 
immediately delete this message.

Previous By Date Next
Previous By Thread Next

Current thread: