FW: FastLane concerns Beck, Ellen 10 Feb 2000 12:59 EST

Erin Lindsay, User Liaison, Research Admin. - Administrative Technology
Center, Caltech has asked me to forward this.......

> -----Original Message-----
> From: Lindsay, Erin [SMTP:xxxxxx@ape.caltech.edu]
> Sent: Thursday, February 10, 2000 10:05 AM
> To:   'Ellen Beck'
> Subject:      FastLane concerns
>
> There has been much concern raised about the announcement from FastLane.
> And
> I can understand this. Anything new to me always brings up my own anxiety
> level.
>
> However, for several reasons, I personally think that these changes are
> excellent and a step in the right direction:
>
> 1) NSF is moving toward a Federal Commons' standard. This will ultimately
> mean one login and password for each PI or administrator FOR ALL
> participating AGENCIES. FastLane's current system of pin codes will not
> allow this type of standardization. I personally think this is reason
> enough
> to be excited about the change.
>
> 2) This is bringing FastLane into more universally-accepted security
> practices. The reality is, FastLane is a federal program. They have a
> responsibility for the security of the data. In today's world were patents
> can generate income of millions and millions of dollars, ideas must be
> protected as best possible.
>
> 3) FastLane must be designed with those researchers in mind who AREN'T
> comfortable with the type of security talked about on this listserv.
> FastLane is REQUIRED to develop a security system that will work for those
> PIs who feel security is important--and by default, these procedures must
> work the same way for all PIs.
>
> To answer Nancy's excellent questions:
>
> 1) The user registration will still be done through the SRO Office--the
> same
> way it is done today.
>
> 2) I spoke with Carolyn Miller from FastLane this morning, and she
> confirmed
> that people who don't change their passwords in 180 days will NOT be
> kicked
> out of the system. In fact, if your PI doesn't use the system for three
> years, she just has to enter her old password, and then will be prompted
> to
> change it to a new one. All computer systems truly should require this.
> The
> system we recently replaced at Caltech had it set at 90 days--but more
> critical responsibilities (such as system administrator) were set to 30
> days. 180 days is much longer than the average or the recommended, but
> works
> well for a system like FastLane. By the way, if your PI forgets her
> password, all she needs to do is what she does today when she forgets the
> PIN number--call her SRO and ask them to help her out. The SRO will simply
> reset the password, give it to the PI, and then she will be prompted to
> change it again the first time she goes back into FastLane.
>
> 3) If the PI forgets to give SRO access, it will be no different than
> today.
> Quite honestly, it is poor procedure for a SRO to go into a proposal as
> the
> PI and do things such as this. Talk to the lawyers and to audit on your
> campus if you disagree. For the SRO to do this, it is similar to the SRO
> going into the PI's personal office, and grabbing the proposal off the
> desk
> to mail it in. Would you feel comfortable doing that?
>
> 4) FastLane could probably program in the ability to notify the SRO
> anytime
> a password changes. However, I must state that it is not good practice to
> maintain this information in your office. I spoke to Caltech's Information
> Security Officer this morning about all this, and she was blown away that
> some institutions are doing this.
>
> 5) The details surrounding the electronic signature are not completely
> formed as yet. Technology is still trying to catch up. But, I can tell you
> that when it is implemented, if you have six individuals on your campus
> who
> are legally authorized to sign-off on grant applications, then they'll
> each
> be individually registered.
>
> Remember, FastLane answers to the Federal Government. They must be as
> secure
> as possible. We've all heard the news stories the last couple of days
> about
> hackers hitting E-Bay, Yahoo, ETrade and others. Hackers are especially
> interested in the Federal sites. And in the same respect, we all need to
> be
> as secure as possible at our own institutions. It is our fiduciary duty.
>
> For more information on security issues, Steve Dowdy and I wrote an
> article
> for the NCURA newsletter two summers ago. You can get to it at:
> http://www.ncura.edu/orginfo/newsletters/ncuranewsja.pdf (for the PDF
> version--the article is on page two) or
> http://www.ncura.edu/orginfo/newsletters/ja98.html (search for the word
> "security.")
>
> I hope that some of this helps.
>
> Erin
> *************
> Erin B. Lindsay
> User Liaison, Research Admin. - Administrative Technology Center
> Caltech
> xxxxxx@caltech.edu

======================================================================
 Instructions on how to use the RESADM-L Mailing List, including
 subscription information and a web-searchable archive, are available
 via our web site at http://www.hrinet.org (click on "Listserv Lists")
======================================================================