Re: [External] [SECURITY] Duo/2FA exemption policies

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

When we first rolled out MFA (Microsoft version), hardware tokens weren’t an option so we exempted people who claimed 
to not have a cell phone (and a couple who argued about not wanting to use a personal phone for work).  In the end that 
was about 40 people out of 28,000 account holders.  We’re now in the process of deploying tokens to those people, so 
essentially we won’t have any exceptions soon.

We also have a process in place to allow the help desk to temporarily disable MFA for people who are in the process of 
replacing a lost/broken phone, but I assume you are looking for ongoing/long-term exceptions.

We don’t have these exceptions in print as part of a policy other than the general disclaimer that the CISO or a 
delegate should be contacted for any exceptions to the Data Security Standards policy, which states that all Red and 
Yellow data systems should be protected by MFA.

Thanks,

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Innovation & Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu/>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kristen Dietiker
Sent: Tuesday, August 13, 2019 6:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] [SECURITY] Duo/2FA exemption policies

I'm interested in knowing the circumstances under which other institutions exempt users from 2FA requirements. If you 
have a policy or standard operating procedure covering this, I'd appreciate the share. Thank you!

Kristen Dietiker
Chief Information Security Officer
Santa Clara University
(408) 554-5554
_______________________________________________________________
Duo 2-Factor Authentication is coming! Learn more at 
https://www.scu.edu/duo<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.scu.edu%2Fduo&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cc52e6fa654de4ed4d3dc08d720430296%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637013344506896446&sdata=uwPm2XD6GYdKEb1xnUF6%2FW%2BcZfRYmqKzqIJsc5szncw%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cc52e6fa654de4ed4d3dc08d720430296%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637013344506896446&sdata=peH4jw%2FBk42Owcqs4rzVg1YyYc2gX0cgGQRWNtRh94c%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community