Re: Password expiration - was Re: [SECURITY] Security Awareness Programs

[Carlos Lobato <clobato () NMSU EDU>]

All,

I would take a formal written risk-based approach as far as making decisions about password expiration and security 
awareness.  The principle is roles & responsibilities.

End-users (University Community) need to be made aware about what is at stake and the why of controls, and decision 
makers (Governing Body & Executive Management) should make well-informed Institution-wide decisions as far as the 
acceptance of risks and/or provide resources for mitigation and be crystal clear about the implementation of operating 
and technical security controls.  For University management the damage to the reputation/cost/fines is a huge concern 
and for sure faculty, staff and students will feel let down in the event of a data breach involving their PII>

Example, the banking industry requires strict controls, but we know what is at stake.  My bank specifically requires 
multi-factor authentication and password changes every 90 days with highly strict complexity requirements and I'm ok 
because they have educated me on what is at stake.

My two cents.

Carlos,

Carlos S. Lobato, CISSP, CISA, CIA

IT Compliance Officer



New Mexico State University

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003



Phone (575) 646-5902

Fax (575) 646-5278

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Roger A Safian 
<r-safian () NORTHWESTERN EDU>
Sent: Thursday, April 03, 2014 9:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password expiration - was Re: [SECURITY] Security Awareness Programs

> And in another couple of months that will all happen again

Personally I think that forced frequent password changes do more harm than good.