NID Password Change Frequency PIC Submission dated 7/10/13 University Audit and Finance & Accounting Tax.

Slides:



Advertisements
Similar presentations
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Advertisements

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
The International Security Standard
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
INTERNATIONAL BEST PRACTICES IN ON-SITE INSPECTIONS OF INSURERS Thomas E Power Senior Manager, Emerging Market Practice Bearing Point.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Time System What is this all about? The purpose of this project is to automate how Evergreen collects, records and manages employees’ dates and times worked.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
First Practice - Information Security Management System Implementation and ISO Certification.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Complying With The Federal Information Security Act (FISMA)
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Information Security Framework & Standards
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP.
GRC - Governance, Risk MANAGEMENT, and Compliance
Chapter Three IT Risks and Controls.
STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
ISACA Malta – MFSA MFSA The Banking Unit’s On-Site Inspection Function.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
1 Security Planning (From a CISO’s perspective) by Todd Plesco 24OCT2007
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process A course for the Department of Commerce contracting and contracting.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Information Security Standards 2015 Update IIPS Security Standards Committee Roderick Brower - Chair.
Impact of Not Managing Project Risks. Agenda Introductions & Announcements Learning Outcomes Understand the risk management cycle and treatment methods.
IT Summit November 4th, 2009 Presented by: IT Internal Audit Team Leroy Amos Sue Ann Lipinski Suzanne Lopez Janice Shelton.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Chapter 3 “A Case Study of Effectively Implemented Information Systems Security Policy[1]” John Doran, CST554, Spring 2008.
Gateways security Aashish Sharma Security Engineer National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign.
IS4680 Security Auditing for Compliance
Service Organization Control (SOC)
Move this to online module slides 11-56
Welcome!.
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Introduction to the PACS Security
Presentation transcript:

NID Password Change Frequency PIC Submission dated 7/10/13 University Audit and Finance & Accounting Tax

Summary As UCF implements shibboleth, the need for different log-ins and passwords will be reduced. The myUCF Federated Identity login system has allowed for ARGIS, PARIS, AURORA, TERA, COI and interlibrary loan to be accessed via a single-sign in. UCF uses best-practices for its password requirements.

Reason for Password Changes to reduce the risk that passwords may be discovered by unauthorized users who may gain access to the University’s critical information. The risk increases with the length of time between password changes

Basis for the 60 Day Interval UCF Policy Data Classification and Protection requires “passwords on systems holding confidential data must be changed every 60 days or less” CS&T University Standards Password Standards recommends that systems “observe these requirements via technical controls (e.g. password expiration controls) so that all university affiliated account passwords follow this policy.”

Basis for the 60 Day Interval In a State Audit of CS&T completed in 2011, the Auditor General recommended the 60 day frequency for “general user accounts for critical or sensitive applications”.

Regulatory Requirements Federal regulations (HIPPA Security Rule/ HiTech Act Section (a)(5)(ii)(D) ) require only that passwords be changed and do not stipulate an interval. Board of Governors Regulation Security of Data and Related Information Technology Resources, (3) states “the university’s security plan should be “based on best practices acquired from resources such as: Educause, National Institute of Standards (NIST), Information Systems Audit and Control Association (ISACA) or other recognized sources of information security practices and procedures.”

Industry Best Practices NIST Standards / FISMA Provision Section suggests that passwords are changed at least every ninety days. ISO 17799_2005 Standards Section Password Use, also only suggest that passwords be changed at regular intervals, and avoid re-using or cycling old passwords.

Impact of Single Sign On The CS&T university wide initiative toward a single login credential using Shibboleth Federated Identity software allows users to sign in to the portal and transfer to other applications without having to sign in again. The progression of this initiative will help to mitigate inefficiencies associated with more restrictive password change frequency requirements.

Summation The current password change frequency is set at a 60 day interval to comply with an Auditor General recommendation, reduce risk of unauthorized users, and follow best practice.

Action Plan To address community concerns, CS&T could clarify purpose for password changes and associated risk in university standards documentation.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.