Attendees

Mary Dunker
Greg Kroll
Karen Herrington
Joyce Landreth
Kevin Davis
Susan Brooker-Gross
Kevin Rooney
Brenda van Gelder

Agenda

1. Discussion of recent events and their effect on this project
   1. Dropping use of secret questions
   2. Internal Audit comments from closing meeting for IMS audit regarding IT password reset procedures
      1. Implications of those comments on this project
2. Review discussion/decisions from last meeting (May 4th)
3. Project structure & management
   1. Structure & manage as a single project with policy, technical design and development, and communications, documentation, and training deliverables
   2. Kevin Rooney has agreed to lead the technical team for this project
   3. Current project team:
      1. Greg Kroll; Mary Dunker; Randy Marchany; Karen Herrington; Joyce Landreth; Susan Brooker-Gross; Nate Smith; Kevin Rooney
   4. Review "Addendum 1" of PM Scope form. Who else needs to be involved?
   5. Other project structure & management comments?
4. Review where we stand on project scope (collecting requirements)
   1. Start here 20090430 - Sponsor Summary April 30, 2009
   2. And here 20100309 - Sponsor Summary March 9, 2010

Meeting Notes

1. Discussion of recent events and their effect on this project
   1. Brenda related the following news from Erv
      1. IMS received an Internal Audit (IA) comment regarding the security of our password reset process. Specifically that the information used by the call center to reset a user password is information that is in the "public domain" and therefore not secure. The final comment received stated that "the password reset process needs to be strengthened."
      2. IT's response to this comment is to strengthen the process by leveraging a self-service password reset process where the user would be the only one that knows the information to change, and the actual password.
      3. Erv is now the sponsor of this project. Review and update current project initiation form (PIF) for Erv's approval.
      4. Erv, Brenda, and Karen need to be kept in the loop on issues and progress of this project.
      5. Erv proposed a November 1, 2010 deadline for this team to complete a plan for internal audit to read and accept as sufficient to address the IMS audit comment.
   2. Those present discussed the value of completing a PIF versus a project scope form and/or a requirements document, which contains more detail than the PIF. What we present to IA for their review may or may not be official project management documentation like a scope document, but could be a requirements document or a draft plan of some sort.
   3. Randy Marchany (ITSO) has commented that implementing secret questions as part of a self-service password reset process does not give a significantly more secure process and may not be worth the effort to implement.
   4. Because this project team is divided on the security and usefulness of secret questions it may be best to eliminate them from the first phase of this project and defer their consideration for a later phase.
   5. If we decide not to use secret questions we need to document our consideration of them and the reasons for rejecting them.
   6. There was some discussion over the difference between secret questions and challenge/response questions.
      1. Secret Questions: Only the user knows the questions and answers used through some sort of enrollment process.
         • Some team members consider secret questions only appropriate for self-service and not for over the phone password resets.
      2. Challenge/Response: The user is presented with stored personal information about themselves that they should know the answer to. Personal information may be obtained through an enrollment process, employment, being a customer, etc. and may be information that is available in the "public domain".
         • Some team members consider challenge/response questions only appropriate for over the phone password resets and not for self-service.
   7. The medical industry uses name and date of birth to satisfy HIPAA requirements.
   8. Action item: Greg, Karen, & Kevin are to draft a rewrite of the PIF that does not use secret questions.
   9. In order to accommodate other forms of identity management, e.g., secret questions, soft personal digital certificates, eToken, etc., in possible later phases of the project the design of this project needs to be a modular, plug-in type structure.
2. Review discussion/decisions from last meeting (May 4th)
   1. Note 2.c.i specifically refers to the number of pre-2003 passwords.
   2. Note 3.a should include that the user must enter their VT ID # prior to using any of the other options listed. Greg corrected the notes of the May 4th meeting to include this.
   3. Note 3.a.i.3 Use of cell phone is OK but e-mail is not because e-mail is not "out-of-band" meaning it still uses the Internet, which can be "sniffed". Out-of-band means not using the Internet. OTP needs to to be sent via SMS. It was recommended that this note be separated into two notes, one for cell phone and another for e-mail. Greg corrected the notes of the May 4th meeting to reflect this.
   4. If cell phones are used it was suggested that an easy way to capture that information is when students are required to decide about signing up for VT Alerts (before they can register for classes the first time) we might include a check box that asks whether they want to use their cell phone for password resets.

• Other team members (or their designee) to include in future meetings, Daniel Fisher, Ken McCrery, Kim Homer, and Brenda van Gelder.
• Action item: draft an outline by the next meeting of our options that can be accomplished in the first phase of this project by the November 1, 2010 deadline.