All faculty, staff, and studnets at Columbus State University are assigned an account for using university computers, the university network, and the university's e-mail system. The user names are assigned and are typically lastname_firstname. The password is selected by the user and requires changing periodically.

Pre-Assignment: Find an danalyze several sample password policies. Your organization probably has one and there are many available on the web.

Assignment: Design a password policy for accounts at Columbus State University.

Post-Assignment: Discuss the following -

• How would your policy recommendation for CSU differ from the current policy. Explain your recommended changes.
• How does your policy recommendation for CSU compare with the password policies that you currently use elsewhere.

Discussion Questions

1. (DUE February 19, 2003 by midnight EST) Select one of the following questions to discuss in detail through the threaded discussion.
   • Most Security Policies recommend the following:
     • "Personnel must never use a password that is the same as or similar to one they are using on any corporate system and on an Internet site."
     • "Company personnel must never use the same or a similar password in more than one system. This policy pertains to various types of devices (computers or voice mail), various locations of devices (home or business); and various tyoes of systems, devices (router or firewall), or programs (database or application)."
     • "No computer user shall use the same or a similar password within the same eighteen-month period." [The Art of Deception by Kevin Mitnick]
   Do you agree or disagree with these recommendations. Discuss the feasibility of following these recommendations.
   • Describe a mechanism by which an operating system can enforce limited transfer of capabilities. That is, process A might transfer a capability to process B, but A wants to prevent B from transferring the capability to any other processes.
     Your design should include a description of the activities to be performed by A and B, as well as the activities performed by and the information maintained by the operating systems.
   • Suggest an efficient scheme for maintaining a per-user protection scheme. That is, the system maintains one diretory per user, and that directory lists all the objects to which the user is allowed access. Your design should address the needs of a system with 1000 users, of whom no more than 20 are active at any time. Each user has an average of 200 permitted objects; there are 50,000 total objects in the system.
   • Design a protocol by which two mutually suspicious parties can authenticate each other. Your protocol should be usable the first time these two parties try to authenticate each other.
   • Liberty and Passport are the two most talked-about digital-identity platforms. Discuss the advantages and disadvantages to using one or both of these.
2. (DUE February 24, 2003 by midnight EST) Select a discussion from one or more of your classmates and respond to their comments.

Webliography Assignment
(DUE February 24, 2003 by midnight EST) Submit to the class Webliography 5 annotated links related to operating systems security. These will be added to our Information Assurance E-library (http://csc.ColumbusState.edu/summers/e-library/security.html) You will receive 1 point if just a new link; 1 point if annotation for one of my links; or 2 points if a new annotated link.