Oxford's Chief Information Security Officer reports
Philosophers, pop stars and stroganoff; not your usual security update. Read on to find out more
You will all be aware of the need for vigilance around information security and several incidents that have occurred at other academic institutions this year. We must continue to take our information security very seriously and during this term we are continuing to strengthen our defences.
Professionalism and thanks
I am extremely grateful to the teams in IT Services, Information Security (Infosec), and the wider IT support staff around the University in preparing for forthcoming improvements. There is always likely to be some friction in complex projects and I appreciate your steadfast professionalism in rolling out these enhancements to our University. Infrastructure Services have been engaged in detailed testing to ensure that an appropriate and expected user experience is balanced with the need to improve security. In one test, a newly purchased IT Services Connect laptop, when connected to a Wi-Fi network, just after having the profile installed and being re-started, was heard to blast out two bars of 'Someone Like You.' Turns out to be a common feature of a Dell.
New password policy
Password policy for the Oxford Single Sign-On (SSO) system will shortly change to an approach which improves the strength and makes passwords more memorable. It matches best practice as seen in industry and as recommended by the National Cyber Security Centre (NCSC).
Things have moved on from the practice of using a mix of letters, numbers and characters. The perceived complexity wasn’t always delivered as people a!ways us3d c0mmon r3placedment5 for letter5. Our approach is to use three or four unconnected words which must make up at least 16 characters. So ‘Mug Chicken Curtain Banana’ would be an acceptable password as it has four words which are not apparently connected (unless you have a really weird pattern on your curtains) and it amounts to a total of 23 letters. ‘Wine Beef Stew’ is not acceptable as the words are linked, they only total 12 letters and this is unlikely to be stroganoff.
You will see this change when your existing SSO password expires or is reset for any reason. It will then be mandatory to follow the above policy guidelines and have a minimum 16 character password. Similar policies for other University systems are likely to be rolled out in due course.
Security and philosophy
Infosec operates a service that can provide additional security for you when working remotely. You will automatically enjoy this service when connected via a college, departmental or University virtual private network (VPN). The VPNs make all of your computer traffic go through the University’s Domain Name System (DNS) where extra security can be delivered. The discussion of DNS always reminds me of the first letter of the names of my three favourite philosophers: Descartes: to be is to do; Nietzsche: to do is to be; Sinatra: do be do be do.
Please look out for the up-coming communications on security changes this term; if in doubt, ask your local IT staff.