+ Post New Thread
Results 1 to 12 of 12
MIS Systems Thread, Password and Access Policy for Accounts in Technical; Hi All: I am doing a review of our policies for passwords and access to accounting software. I wonder if ...
  1. #1

    Join Date
    Jul 2008
    Location
    Dubai
    Posts
    22
    Thank Post
    31
    Thanked 2 Times in 2 Posts
    Rep Power
    13

    Password and Access Policy for Accounts

    Hi All:

    I am doing a review of our policies for passwords and access to accounting software. I wonder if some of you might share your school's policies.

    1. Do you force a password change every (say) 6 months?
    2. Does someone other than the Head of IT have the uber password? The Head/Director/Bursar?
    3. For coders/developers, what sort of access and password policies exist? For example, do those writing programs to query accounts info have full access?
    4. Do you have any policy documents you might consider sharing?

    Thanks so much,

    Patman

  2. #2

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    9,761
    Thank Post
    1,813
    Thanked 2,225 Times in 1,643 Posts
    Rep Power
    800
    The quick ones:
    We force a password change in week 2 of each term... so 3 times a year
    The master password is safely locked in the safe. No, the head and bursar are not entrusted with it, nor is anyone else. Even with it in the safe I have a horror story at their hands

  3. Thanks to elsiegee40 from:

    Patman (23rd September 2013)

  4. #3

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,433
    Thank Post
    368
    Thanked 646 Times in 528 Posts
    Rep Power
    159

  5. 2 Thanks to matt40k:

    Patman (23rd September 2013), vikpaw (23rd September 2013)

  6. #4

    Join Date
    Jan 2007
    Posts
    100
    Thank Post
    0
    Thanked 34 Times in 23 Posts
    Rep Power
    21
    1. Do you force a password change every (say) 6 months?
    - Every 60 days

    2. Does someone other than the Head of IT have the uber password? The Head/Director/Bursar?
    - The service (your accounting software) owner and principal internal support/dev with responsibility for the service - not necessarily the Head of IT.

    3. For coders/developers, what sort of access and password policies exist? For example, do those writing programs to query accounts info have full access?
    - If they are external, then I would expect them to be developing on their own test system with test data, not yours. If connecting to your system to fix, I would setup a remote connection for them via my system and babysit them. If they are accessing your live data then you need to look at the implications of access to that data by an external company and any associated risks.

  7. Thanks to Greg from:

    Patman (23rd September 2013)

  8. #5

    Join Date
    Jul 2008
    Location
    Dubai
    Posts
    22
    Thank Post
    31
    Thanked 2 Times in 2 Posts
    Rep Power
    13
    Thanks for your replies so far.

    How do your staff feel about the password changes? Must the new password be sufficiently dissimilar to the old? Do staff write them down? Forget them?

    Elsiegee40, what is the procedural reasoning behind the password in a safe? How will it be accessed? By whom? Under what conditions?

    Greg- these are internal developers

    Once again, thanks for the replies, they are very helpful.

  9. #6

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,637
    Thank Post
    683
    Thanked 1,399 Times in 1,159 Posts
    Rep Power
    353
    Staff hate changing passwords and usually end up just adding a number to the end if you don't stop that.

    Putting them in a safe is so if the person who knows it gets hit by a bus, then the head or a sufficiently authoritative source can take it out and ensure continuity of systems. I'd imagine it most likely going to a replacement or trusted third party support team. Even then it's risky handing credentials out, but it shouldn't be taken out cos you're on holiday and the head of IT can't access emails, or the Dep. Head has brought in a company to install AN.Other behaviour system and needs to link it to your database.

  10. Thanks to vikpaw from:

    Patman (23rd September 2013)

  11. #7

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    9,761
    Thank Post
    1,813
    Thanked 2,225 Times in 1,643 Posts
    Rep Power
    800
    Quote Originally Posted by Patman View Post
    Thanks for your replies so far.

    How do your staff feel about the password changes? Must the new password be sufficiently dissimilar to the old? Do staff write them down? Forget them?
    Of course they forget them. The rules regarding difference are done through Server 2008... it requires complexity, but differences can be minor. Staff receive training in how to choose an easy to remember and hard to crack password.

    Elsiegee40, what is the procedural reasoning behind the password in a safe? How will it be accessed? By whom? Under what conditions?
    I am a lone technician in a school. If I get run over by a bus then the password is in the safe for whoever takes over. It is a disaster if that password needs to be removed... there is also an admin login and password in the safe that a substitute tech should use in the first instance.

    Having had the master password given to a third party supplier while I was on holiday so they could install software in my absence... I am very touchy on this one. The boss was told in no uncertain terms that what had been done was the equivalent of handing over the school keys, alarm code and leaving all the offices and filing cabinets unlocked... and that they, not me, would be the one who got the fine from the ICO for Data Protection breaches.

    It should be signed out by the head or bursar only in an emergency... but, as I found out, there are no guarantees.

  12. Thanks to elsiegee40 from:

    Patman (23rd September 2013)

  13. #8

    unixman_again's Avatar
    Join Date
    Nov 2011
    Posts
    756
    Thank Post
    30
    Thanked 151 Times in 114 Posts
    Rep Power
    137
    We've just tightened ours up :
    • change them 3 times a year
    • you can't use one of the last three passwords you've used
    • passwords have to be 8 characters or more
    • can't contain any of your names or user id
    • contain three of the fours character types
      • * upper case
        * lower case
        * number
        * symbol


    We had a bit of a problem with new students. We set an initial password was their DOB as Sdd/mm/yyyy At orientation, some teachers forgot to mention the / and others didn't say to use a four digit year. I reckon we had 1/2 the students coming to IT to have their accounts unlocked. (Accounts lock after three failures.) One thing I am not sure about is we have force password change at first login enabled. A lot of students decided to set their phones up for email. Assuming they got the password in the correct format and were able to receive emails to their phone, would this count as the first login? If it does, how does the password get changed? Three weeks into the new term, we still have students who haven't logged into a computer.

    As to the admin passwords, the four of us in IT know them and perhaps our big cheese (although I don't think he does). The principal doesn't know it. The IT manager has a few additional passwords which he keeps to himself, and AFAIK these aren't recorded anywhere. If he goes under the Number 11 bus, then I guess it would fall to me as second in command to either work out what they are, or crack/reset them.

    In previous jobs as IT Manager, both in schools and industry, only I knew the root password. It was written in a sealed envelope kept in the safe and it could only be opened in extreme circumstances, such as my death.

  14. Thanks to unixman_again from:

    Patman (23rd September 2013)

  15. #9

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,637
    Thank Post
    683
    Thanked 1,399 Times in 1,159 Posts
    Rep Power
    353
    This would make a good discussion at the next ED-IT conference. If a bunch of us (well, you as i prob wont make it) got hit by a bus while crossing a road at the conference, a whole bunch of school's would be up the creek.
    I saw a presentation on estate planning, and how important it is to a) make a plan and b) inform people about it. The same applies here, if you have all passwords in a file or encrypted on your phone, that's fine but you have to tell someone where they are and how to access in an emergency. A common mistake is to put them somewhere too secure e.g. phone. I know our IT Manager has his there, but if bussed down we'd have to hack into the phone. A common safe is much better.

  16. Thanks to vikpaw from:

    Patman (24th September 2013)

  17. #10

    Join Date
    Jul 2008
    Location
    Dubai
    Posts
    22
    Thank Post
    31
    Thanked 2 Times in 2 Posts
    Rep Power
    13
    Vikpaw - greetings from the UAE!

    Are we addressing 3 issues here?
    1. Access control - who has access to what in MIS and accounts
    2. Continuing of service if disaster befalls a crucial IT Member
    3. Ability to audit behaviours for everyone, including the IT Manager and anyone else with access

    One approach has been to have an uber user/password that is locked away in a safe and available only under strict conditions and audit. This takes care of items 2 and 3, but can make item 1 a little cumbersome if permissions are restricted and sysAdmin has limited access to slices of the system

    Another approach is for several (say 2 or 3) higher-level sysAdmins to have full rights almost everywhere but can only log in with their own credentials, not a general admin user/password and have audit logging on. It solves the above issues with

    1. MIS access control because it is logged and monitored by more than one person
    2. Continuation of service if tragedy befalls one of the three
    3. If one of the three is suspected of wrong-doing, the others can be approached for auditing purposes

    Am I off-base here?

    pjf

  18. #11

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,637
    Thank Post
    683
    Thanked 1,399 Times in 1,159 Posts
    Rep Power
    353
    Assalaam Alekum @Patman :O)
    You're not off-base, but finding 3 high level techs could be a problem in some schools. Many will have just 1 and possibly an assistant.
    So long as the setup is documented and agreed by management then at least you've taken reasonable steps. I'd rather the system was a little bit cumbersome but secure even if it means having to have a normal user account and an admin user account - this is usually the recommendation - rather than spending your lunch break on facebook clicking on things with domain admin rights.

  19. #12

    Join Date
    Jul 2008
    Location
    Dubai
    Posts
    22
    Thank Post
    31
    Thanked 2 Times in 2 Posts
    Rep Power
    13
    Yes, that is what we do, different admin level account to user account, but the admin level account is user-specific for audit.

    We are also fortunate with our staff - excellent skill level and experience background.

    If you are in Dubai, please stop in (Dubai College)

SHARE:
+ Post New Thread

Similar Threads

  1. Can anyone suggest a tool for staff to reset student passwords and unlock accounts
    By Davit2005 in forum Network and Classroom Management
    Replies: 1
    Last Post: 13th September 2012, 11:49 AM
  2. Replies: 4
    Last Post: 17th July 2012, 09:24 AM
  3. Replies: 33
    Last Post: 16th July 2008, 12:08 PM
  4. Password policy for remote users
    By cookie_monster in forum Windows
    Replies: 4
    Last Post: 18th May 2008, 03:46 PM
  5. What is your school policy for pupils who access porn?
    By woody in forum School ICT Policies
    Replies: 24
    Last Post: 8th November 2005, 10:47 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •