On Mon, Jun 29, 2015 at 9:46 PM, Andrew Goble wrote:
SUU report materials please
Mine just got uploaded. 

  What does everybody's July look like?

Week of July 6th, or week of July 13th. Could also do the last week of July if it was late in the week.
I'm out of town and out of even cell reach from July 7 - July 19, but can make anything else work.
 
We are set to continue.  A longer time period is a go, (conditional upon institutional approval).
Muahhh haaa haa haaaaaa....

CIOs would like to designate a few system-wide standards, most of which could probably be taken straight out of SANS (e.g. system-wide password standards.)  Send me any suggestions on what SANS controls should be considered system-wide mandatory standards.
As far as passwords go, the "Stanford Model" is what I've been pimping here at USU.  I think I'll get it soon.  We're waiting on one last Banner piece of the puzzle to work with SSO and we'll be set.
https://itservices.stanford.edu/service/accounts/passwords/quickguide

Given the results we've seen with passwords under 10 characters though, I'm inclined to rule out the lowest rung of Stanford's password guide, but I like the flexibility of their model and that it has a built in reward system for users who start to think in passphrases instead of passwords, in that the complexity requirements get easier, the longer your password gets.

CIOs also want a prioritized list of tools / software that could be used across the system and requested as part of a legislative initiative this coming session. 
We're all using Duo, pretty much.  Collective purchasing for this would be great to get organized.

I have seen a demo of Rapid7's UserInsight and was blown away.  It was easy to configure, you can trace users login movement across all the network, they notify you if they discover one of your institutions credentials in the wild out there, you can create incidences for compromised users and increase the monitoring of those accounts etc.  Being able to track users and detect anomalies is very high on my priority list and of the softwares I've looked at for that, nothing has had as good of a price to features as that one did.

Regardless of if it's that specific software or not, I think having user logging and alerting is a critical thing that has to start happening for all of us.  We can run our ELK stacks till the cows come home, but inventing algorithms that can detect anomalous behavior on a case by case, just isn't practical for us to write on our own.  Purchasing a software collectively would go a long ways to getting us all running something.

There are two schools (UVU & SLCC) and sorta three or four (Dixie & Utah) that are running IDS and IPS, but I would like to see something we could all get onboard with and collectively afford as well.  I don't have any specific wares to recommend to the CIO group, but I think it's critical we all find a sustainable and affordable way to do this across all the institutions.

My $.02