20101109 - November 9, 2010, Agenda

Team

Susan Brooker-Gross, Mary Dunker, Daniel Fisher, Karen Herrington, Kim Homer, Greg Kroll, Joyce Landreth, Randy Marchany, Kevin Rooney, Nate Smith, Brenda van Gelder

Agenda

1. Project Milestones
   1. November 10, 2010: project team comments on project scope and requirements documents
   2. November 15, 2010: submit project scope and requirements documents to VPIT office for subsequent review by Internal Audit
2. Review comments on project scope and requirements documents
3. Review OTP2VOICE requirements

Meeting Notes

1. "GR17. Accounts that do not have a VTID will not be allowed to use this service." says that sponsored accounts cannot use this service, but they can use the existing process of calling 4Help.
2. Plans are to give Internal Audit all 3 documents, (1) Scope, (2) AuthMethodAnalysis.doc, and (3) SelfServPwdReset_SRS.doc
3. It was recommended to add some clarity to account and password states.
4. OTP2VOICE
   1. For ease of use it is recommended to use numeric passwords only. This recommendation extends to SMS messages also.
   2. There is no initial cost for this service as CNS set this up for athletics and it is already in production use. Action item: This needs to be tested using Google Talk and Skype.
   3. User must press 1 to get the password.
   4. Note: include long distance (international) charges in project budget.
5. There was some discussion regarding whether the application or the service should handle "GR16. Every effort will be expended to prevent unwanted text messages to be sent. For each HTTPS Session, the system will disable the send button for 5 seconds before allowing the user to send another message. The system will not send more than 3 messages to a particular receiver in a ten minute period."
6. "GR22. All remote authentication identity providers must not allow a non-SSL session to provide authentication to an SSL redirect in the OpenID or O-Auth authentication event during the reset. This should prevent non-SSL sessions that are stolen to be used to “auto-authenticate” a currently logged in user."
   will be difficult to enforce.