Spacer
Spacer
BGSU
HomeAcademicsAdmissionsThe ArtsAthleticsLibrariesOffices
Spacer
Spacer Spacer
Top Nav   Office of the Chief Information Officer
Cross Hatch

Office of the Chief Information Officer

Welcome

About Us

ITS - Information Technology Services

IMS - Instructional Media Services

Student Tech

Office of Web Development

BG@100

Projects and Strategic Initiatives

Quick Reference

Newsworthy

Feedback

BGSU IT Policies

Fraud Notice

CIO-Alerts and CIO-Inform email & PGP Public Keys
No Banner
Spacer Connect February 2006 Security Article Spacer
 

The Dilemma of Passwords

by Kent Strickland

The August 2005 issue of Connect detailed password management practices, and the December issue advocated use of risk management practices to balance security appropriately for the environment.  In this issue, the two topics converge to illustrate appropriate practices that should be followed by all BGSU faculty and staff.

 

The goal of managing information, technology and staff is to maintain the confidentiality, integrity and availability of information.

 

Scenario:  An employee will be away from the office for an extended period of time.  During the employee’s absence, the office must maintain normal operation.  In coordinating this transition, the employee is asked by the supervisor for his or her computer account password in order to continue providing acceptable service with substitute personnel.  The employee complies but is concerned and seeks advice.

 

Assumptions:  1) both the supervisor and employee want to be ethical; 2) the case does not involve data encryption, which entails additional complexity and administrative procedures to prevent a personal password from denying the University access to information in its control.

 

Employee dilemma:  University policy requires that employees protect personal passwords.  This “best practice” is necessary for protecting the confidentiality and integrity of information, by establishing accountability through user authentication.  Inappropriate activity under a borrowed account could lead to information breaches, wrongful accusations, difficult and lengthy investigations, and result in increased scrutiny or liability.  Employees must adhere to policies, but may not be insubordinate.

 

Supervisor dilemma:  Supervisors must adhere to the same policies as the employee, but must alsoensure the availabilityof information and services in spite of substantial workload demands and resource constraints.  By requiring the employee to relinquish the computer account (identity), the employee is taught that the policies are irrelevant or do not apply at higher levels, creating mixed standards, distrust and stress.  Yet, the information and services are useless if locked away.

 

Conflict:  The policy is not the problem in this case, but services to expose the problem.  While each individual is supporting some important qualities of security, confidentiality and integrity are in conflict with availability in this situation. 

 

SOLUTIONS:

 

Protect confidentiality and integrity:

Protect personal account passwords according to University policy.  Do not tell others, including family members, your personal password and do not ask others for theirs.

 

Improve availability:  Implement acceptable ways of providing shared services without compromising personal electronic identity and accountability:

  • Create overlapping or backup capabilities with other employee accounts so that an employee absence (inconvenient but normal circumstance) can be accommodated:
  • Use group, office or departmental email accounts (changing passwords periodically and when an employee using a shared account leaves the University);
  • Use shared file systems so that others in the office can access vital information;
  • Implement appropriate access controls, administrative support, technical support, training and monitoring to preserve information confidentiality and integrity.

 

The solution lies in being able to utilize strategic management techniques at all points of information technology decision control in order to navigate the rapidly changing technology environment with all of its associated opportunities and risks.  Continue to look to the Advice section of the Information Security & Privacy Web site, www.bgsu.edu/infosec/.  It is being reorganized to facilitate a rudimentary risk assessment and risk treatment process to assist in understanding and implementing sound solutions.

 

-Kent Strickland, ITS security officer

 

 

  
Spacer
 
Spacer Spacer
Spacer
Spacer
Spacer
Spacer
Bowling Green State University  |  Bowling Green, OH 43403-0001  |  Contact Us  |  Campus Map  |  Site Map  |  Accessibility Policy (PDF Reader)
Spacer