<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Oct 5, 2017, at 9:27 AM, Todor Fassl <<a href="mailto:fassl.tod@gmail.com" class="">fassl.tod@gmail.com</a>> wrote:</div><div class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">This list has really come through for me again just with ideas I can bounce around. I'll have to tread lightly though. About a year ago, I configured the machines in our shared labs to log someone off after 15 minutes of inactivity. Believe it or not, that was controversial. Not with the faculty but with the students using the labs. It was an easy win for me but some of the students went to the faculty with complaints. Wait, you're actually defending your right to walk away from a workstation in a public place still logged in? In a way that's not such a bad thing. This is a university and the students should run the place. But they need a referee.</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""></div></blockquote></div><div class=""><br class=""></div><div class=""><span style="color: rgb(51, 51, 51); orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">TL;DR: I disagree. Follow compliance guidelines. People could go to jail in a governmental (college) setting. The laws are the referee, not us.</span></div><div class=""><br class=""></div><br class=""><div class=""><br class=""></div><div class="">I respectfully disagree. </div><div class=""><br class=""></div><div class="">Let me flex my ego muscle for a moment: “Jerald Sheets, Lead Security Architect - Infrastructure Hardening - PayPal, Inc” at your service.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Any university is bound by common rules and guidelines to adhere to “generally accepted security standards” in regards to systems connected to the university infrastructure for the purposes of satisfying protection of PII of students, faculty, and staff. This is also governed by FRPA and can include jail time under the right circumstances… Just saying.</div><div class=""><br class=""></div><div class="">Regardless of physical, network, and other similar security controls in place, host security demands that TMOUT be on, enabled, and unable to be circumvented.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><font face="Georgia" class=""><span style="font-size: 14px;" class=""><br class=""></span></font></div><div class=""><font face="Georgia" class=""><span style="font-size: 14px;" class=""><b class="">HIPAA:</b></span></font></div><div class=""><font face="Georgia" class=""><span style="font-size: 14px;" class=""><br class=""></span></font></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: 14px;" class=""><font face="Georgia" class="">A covered entity should activate a password-protected screensaver that automatically prevents unauthorized users from viewing or accessing electronic protected health information from unattended electronic information system devices. </font></span></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: 14px;" class=""><font face="Georgia" class=""><br class=""></font></span></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: 14px;" class=""><font face="Georgia" class=""><b class="">SOX:</b></font></span></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: 14px;" class=""><font face="Georgia" class=""><br class=""></font></span></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: 14px;" class=""><font face="Georgia" class="">User session timeout is defined and in place for
authorized users
Audit and review user privil</font></span></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: 14px;" class=""><font face="Georgia" class=""><br class=""></font></span></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: 14px;" class=""><font face="Georgia" class=""><b class="">ITIL:</b></font></span></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: 14px;" class=""><font face="Georgia" class=""><br class=""></font></span></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: 14px;" class=""><font face="Georgia" class="">ISO/IEC 27002</font></span></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: 14px;" class=""><font face="Georgia" class="">11.5.5 Session time-out</font></span></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: 14px;" class=""><font face="Georgia" class=""><br class=""></font></span></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: 14px;" class=""><font face="Georgia" class=""><b class="">PCI:</b></font></span></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: 14px;" class=""><font face="Georgia" class=""><br class=""></font></span></div><div class=""><span style="color: rgb(51, 51, 51); font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><p style="margin: 0px 0px 20px; color: rgb(95, 95, 97); font-variant-ligatures: normal; background-color: rgb(242, 242, 242);" class=""><font face="Georgia" class=""><span style="font-size: 14px;" class="">8.5.15 Idle Session Timeout threshold</span></font></p><ul style="margin: 0px 0px 0px 20px; padding: 0px; color: rgb(95, 95, 97); font-variant-ligatures: normal; background-color: rgb(242, 242, 242);" class=""><li style="margin: 0px 0px 5px; padding: 0px;" class=""><font face="Georgia" class=""><span style="font-size: 14px;" class="">Disconnect Idle session is less than or equal to 15 minutes</span></font></li></ul><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">These are the reasonings I use with CISOs, CIOs and CEOs to explain to them that just because Devs are yelling about various security controls does not mean they get to have what they want.</div><div class=""><br class=""></div><div class="">“You could go to jail over this one” has been uttered more than once by me, and I count it a great responsibility on my part as a Security guy first and a Systems guy second to ensure that the law and various compliance guidelines are followed.</div><div class=""><br class=""></div><div class="">If I have people continuing to demand non-compliance, I work up a business case for them to sign their name to “when the auditors come around on this, they’ll want to know who’s responsible and who should be prosecuted in the event of data loss or breach”. That usually gets their attention and gets them to think twice about these things.</div><div class=""><br class=""></div><div class="">The balance is ALWAYS security versus usability, and the security guidelines we are both legally and honor-bound to follow are the “referee” here. You aren’t. I implement what’s given to me within the confines of the law, and I do not step outside of it. No student, teacher, full or associate professor, department chair has the authority to overrule these guidelines.</div><div class=""><br class=""></div><div class="">The board or president of your university does, and they are ultimately responsible (as any CEO would be) for what goes on both physically and virtually on their campus. </div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">—j</div><div class=""><br class=""></div><div class=""><br class=""></div></span></div></body></html>