Main Nav

Message from russ.leathe@gordon.edu

We recently made everyone change their password (every 6 months). It just so happened it fell on semester break (Christmas Break). We had a large quantity of foreign students who did not have Internet Access and thus could not use our password reset page. We did our best to identify the student - but I'm fearful of resetting someones password to a default and not have them be who they say they are (identity fraud). Do you have a password reset policy in place? I was going to ask for their challenge and response question and the last four digits of their ss number. I would like the to identify themselves before... By going to a major city, they have cell coverage and can check their email on their smartphone, but resetting their email can only be done via the portal. Any help would be welcome! Russ Leathe InfoSec Gordon Collegr -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Harry Hoffman Sent: Monday, January 13, 2014 2:05 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Encryption of exam papers We have a similar service called, SecureShare that was developed in house. We also don't recommend folks use dropbox but the unversity has entered into a contract with Box in which there are audit logs that can be examined (via request). It's a nice trade-off and Box is supposedly willing to sign a BAA for HIPPA compliance, although we're not there yet so don't recommend storing HIPAA regulated data outside of our protected systems. Cheers, Harry On 01/13/2014 01:45 PM, Kees Leune wrote: > The product is available to all users. Because we suspected that > people might be using it to transfer sensitive information, we're > keeping detailed logs, limiting the time that the message is exposed, > and are running everything physically in-house using official SSL certs. > > As sub-optimal as it is, I'd still rather have people use "stuff" that > we can see, instead of seemingly free services like dropbox. > > -Kees > > *Dr. Kees Leune* > Information Security Officer > Adelphi University > Garden City, NY > +1 (516) 877-3936 > > >

Comments

We have an annual password change requirement. About 30 days prior to the password expiring you being to get messages reminding you of the date. None the less, we still have people who don't do it, or forget their password after the change. We do have a self service password change page, based on questions and a PIN. If that fails you either need to come to our help desk with an ID OR have your department chair contact us on your behalf. Hope that helps. > -----Original Message----- > From: The EDUCAUSE Security Constituent Group Listserv > [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Russ Leathe > Sent: Monday, January 13, 2014 1:25 PM > To: SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: [SECURITY] Password Reset Policy? > > We recently made everyone change their password (every 6 months). It just so > happened it fell on semester break (Christmas Break). We had a large quantity > of foreign students who did not have Internet Access and thus could not use our > password reset page. We did our best to identify the student - but I'm fearful > of resetting someones password to a default and not have them be who they > say they are (identity fraud). Do you have a password reset policy in place? I > was going to ask for their challenge and response question and the last four > digits of their ss number. I would like the to identify themselves before... > > By going to a major city, they have cell coverage and can check their email on > their smartphone, but resetting their email can only be done via the portal. > > > Any help would be welcome! > > Russ Leathe > InfoSec > Gordon Collegr > > -----Original Message----- > From: The EDUCAUSE Security Constituent Group Listserv > [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Harry Hoffman > Sent: Monday, January 13, 2014 2:05 PM > To: SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: Re: [SECURITY] Encryption of exam papers > > We have a similar service called, SecureShare that was developed in house. > > We also don't recommend folks use dropbox but the unversity has entered into > a contract with Box in which there are audit logs that can be examined (via > request). > > It's a nice trade-off and Box is supposedly willing to sign a BAA for HIPPA > compliance, although we're not there yet so don't recommend storing HIPAA > regulated data outside of our protected systems. > > Cheers, > Harry > > > On 01/13/2014 01:45 PM, Kees Leune wrote: > > The product is available to all users. Because we suspected that > > people might be using it to transfer sensitive information, we're > > keeping detailed logs, limiting the time that the message is exposed, > > and are running everything physically in-house using official SSL certs. > > > > As sub-optimal as it is, I'd still rather have people use "stuff" that > > we can see, instead of seemingly free services like dropbox. > > > > -Kees > > > > *Dr. Kees Leune* > > Information Security Officer > > Adelphi University > > Garden City, NY > > +1 (516) 877-3936 > > > > > >
Message from russ.leathe@gordon.edu

We recently made everyone change their password (every 6 months). It just so happened it fell on semester break (Christmas Break). We had a large quantity of foreign students who did not have Internet Access and thus could not use our password reset page. We did our best to identify the student - but I'm fearful of resetting someones password to a default and not have them be who they say they are (identity fraud). Do you have a password reset policy in place? I was going to ask for their challenge and response question and the last four digits of their ss number. I would like the to identify themselves before... By going to a major city, they have cell coverage and can check their email on their smartphone, but resetting their email can only be done via the portal. Any help would be welcome! Russ Leathe InfoSec Gordon Collegr -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Harry Hoffman Sent: Monday, January 13, 2014 2:05 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Encryption of exam papers We have a similar service called, SecureShare that was developed in house. We also don't recommend folks use dropbox but the unversity has entered into a contract with Box in which there are audit logs that can be examined (via request). It's a nice trade-off and Box is supposedly willing to sign a BAA for HIPPA compliance, although we're not there yet so don't recommend storing HIPAA regulated data outside of our protected systems. Cheers, Harry On 01/13/2014 01:45 PM, Kees Leune wrote: > The product is available to all users. Because we suspected that > people might be using it to transfer sensitive information, we're > keeping detailed logs, limiting the time that the message is exposed, > and are running everything physically in-house using official SSL certs. > > As sub-optimal as it is, I'd still rather have people use "stuff" that > we can see, instead of seemingly free services like dropbox. > > -Kees > > *Dr. Kees Leune* > Information Security Officer > Adelphi University > Garden City, NY > +1 (516) 877-3936 > > >
We have an annual password change requirement. About 30 days prior to the password expiring you being to get messages reminding you of the date. None the less, we still have people who don't do it, or forget their password after the change. We do have a self service password change page, based on questions and a PIN. If that fails you either need to come to our help desk with an ID OR have your department chair contact us on your behalf. Hope that helps. > -----Original Message----- > From: The EDUCAUSE Security Constituent Group Listserv > [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Russ Leathe > Sent: Monday, January 13, 2014 1:25 PM > To: SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: [SECURITY] Password Reset Policy? > > We recently made everyone change their password (every 6 months). It just so > happened it fell on semester break (Christmas Break). We had a large quantity > of foreign students who did not have Internet Access and thus could not use our > password reset page. We did our best to identify the student - but I'm fearful > of resetting someones password to a default and not have them be who they > say they are (identity fraud). Do you have a password reset policy in place? I > was going to ask for their challenge and response question and the last four > digits of their ss number. I would like the to identify themselves before... > > By going to a major city, they have cell coverage and can check their email on > their smartphone, but resetting their email can only be done via the portal. > > > Any help would be welcome! > > Russ Leathe > InfoSec > Gordon Collegr > > -----Original Message----- > From: The EDUCAUSE Security Constituent Group Listserv > [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Harry Hoffman > Sent: Monday, January 13, 2014 2:05 PM > To: SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: Re: [SECURITY] Encryption of exam papers > > We have a similar service called, SecureShare that was developed in house. > > We also don't recommend folks use dropbox but the unversity has entered into > a contract with Box in which there are audit logs that can be examined (via > request). > > It's a nice trade-off and Box is supposedly willing to sign a BAA for HIPPA > compliance, although we're not there yet so don't recommend storing HIPAA > regulated data outside of our protected systems. > > Cheers, > Harry > > > On 01/13/2014 01:45 PM, Kees Leune wrote: > > The product is available to all users. Because we suspected that > > people might be using it to transfer sensitive information, we're > > keeping detailed logs, limiting the time that the message is exposed, > > and are running everything physically in-house using official SSL certs. > > > > As sub-optimal as it is, I'd still rather have people use "stuff" that > > we can see, instead of seemingly free services like dropbox. > > > > -Kees > > > > *Dr. Kees Leune* > > Information Security Officer > > Adelphi University > > Garden City, NY > > +1 (516) 877-3936 > > > > > >
On 14/01/2014, at 9:24 am, Roger A Safian wrote: > We have an annual password change requirement. About 30 days prior to the password expiring you being to get messages reminding you of the date. None the less, we still have people who don't do it, or forget their password after the change. We do have a self service password change page, based on questions and a PIN. If that fails you either need to come to our help desk with an ID OR have your department chair contact us on your behalf. We have a very similar arrangement and when we implemented the requirement we staggered the expiries so you don’t get everything expiring at once. Russell
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.