Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Authorizing password changes in a health science center
From: "Penn, Blake" <pennb () UWW EDU>
Date: Tue, 13 Feb 2007 15:20:28 -0600

I've seen the third factor (something you have) used in such
applications in the past - like handing out grid cards to your employees
and have the access management dept use the corresponding software to
issue the challenges based on the serial number of the employee's card.
Employees have to remember to report lost/stolen cards immediately, of
Blake Penn, CISSP                             
Information Security Officer          
University of Wisconsin-Whitewater
(p) 262-472-7792 (f) 262-472-1285
pennb () uww edu | http://www.uww.edu/security


From: David Grisham [mailto:DGrisham () SALUD UNM EDU] 
Sent: Tuesday, February 13, 2007 2:40 PM
Subject: [SECURITY] Authorizing password changes in a health science

The hospital has for a long time required a facsimile of the
identification badge each time a password change is requested.  It is a
new century end programs like Photoshop presented a new risk to that
process.  We do not want to ask for personal information on any email or
phone call request.  (Our staff could be around others who might take
advantage of that information, if overheard)
We have added password challenge questions for half of our systems.  The
patient systems cannot be placed into a web page challenge at this time.
What do your account groups do to verify the identity of some one
needing a password change to systems with confidential information?
Cheers. -grish
David D. Grisham, Ph.D., CISM, CHS, CHSP
Manager, IT Security, UNM Hospitals, Information Technology
1650 University Blvd, S.500, Albuquerque, NM 87102
Ph: (505) 272-5657 FAX 272-3305
Work email: dgrisham () salud unm edu
Adjunct Faculty, Computer Science, UNM
Academic & personal email: dave () unm edu

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]