Educause Security Discussion mailing list archives
Re: Password expiration - was Re: [SECURITY] Security Awareness Programs
From: Carlos Lobato <clobato () NMSU EDU>
Date: Thu, 3 Apr 2014 16:40:35 +0000
All, I would take a formal written risk-based approach as far as making decisions about password expiration and security awareness. The principle is roles & responsibilities. End-users (University Community) need to be made aware about what is at stake and the why of controls, and decision makers (Governing Body & Executive Management) should make well-informed Institution-wide decisions as far as the acceptance of risks and/or provide resources for mitigation and be crystal clear about the implementation of operating and technical security controls. For University management the damage to the reputation/cost/fines is a huge concern and for sure faculty, staff and students will feel let down in the event of a data breach involving their PII> Example, the banking industry requires strict controls, but we know what is at stake. My bank specifically requires multi-factor authentication and password changes every 90 days with highly strict complexity requirements and I'm ok because they have educated me on what is at stake. My two cents. Carlos, Carlos S. Lobato, CISSP, CISA, CIA IT Compliance Officer New Mexico State University Information and Communication Technologies MSC 3AT PO Box 30001 Las Cruces, NM 88003 Phone (575) 646-5902 Fax (575) 646-5278 ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Roger A Safian <r-safian () NORTHWESTERN EDU> Sent: Thursday, April 03, 2014 9:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password expiration - was Re: [SECURITY] Security Awareness Programs
And in another couple of months that will all happen again
Personally I think that forced frequent password changes do more harm than good.
Current thread:
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Shane Williams (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Flynn, Gary - flynngn (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Mike Cunningham (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Carlos Lobato (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Chris Green (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Rich Graves (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 02)
- <Possible follow-ups>
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Shane Williams (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Joe St Sauver (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)