Re: SECURITY Listserv Instructions and ParticipationGu idelines

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

At 18:36 -0400 7/07/02, Randy Marchany wrote:
> Are you talking about S.1901.IS?

Yes.

>  >(no single standard will work for every environment,
> > something that proponents of this kind of thing don't seem to
> > understand).
>
> I thought the draft that I read simply stated that the edu adhere to a
> standard and not necessarily a specific one.

The amendment said that NIST had 6 months to come up with a set of
standards that all contractors and agencies would have to meet.

> There are a number of "standards"
> like the SANS and CIS benchmarks that could be applied to most edus without
> serious impact.

Note you said "most" and "serious".   The problem with "standards" is
they either don't take into account real needs and differences, or
else they are so watered down as to be meaningless.   The first set
of CIS standards on Cisco routers, for instance, if mandated on our
router would have DECREASED the security of our site!

It is also a huge problem if the standards can't be met without
additional funding that also isn't provided.  In particular, any new
standards for security may well push some predominantly minority
institutions off the net -- many of them have trouble funding basic
access with old equipment as it is.   Several of the tribal colleges,
for instance, may not be able to stay online if there are
requirements for firewalls, IDS, smartcards or anything else with a
non-zero cost.

Despite what the President says, the digital divide exists and is growing.

> I know we've done that here at VA Tech. The problem has always
> been to get the upper administration to focus on security.

VA  Tech must have more money than other places.  I'm sure it has
more than most HBCUs and Tribal colleges.   Then there is the
economy.  Several states are in recession and are enforcing mandatory
furloughs for employees, including faculty.   Others are taking money
away from programs for the disabled, the unemployed and the indigent.
All those states need is another set of unfunded mandates for the
schools and universities.  Think they are going to allocate more
state money to make up for it?   (Hint:  rhymes with "hello")

Then there are the small private schools that are operating in the
red.  If they raise fees to cover new costs, many students can't get
the financial aid to pay the difference (because it hasn't been
increased).  Thus, they lose students and fees both.  Not good in bad
economic times.

The problem is that the people who want to make the rules don't
sufficient knowledge of the impact they will have.

> BTW, I was looking at the bill (via thomas.loc.gov) and didn't see the
> amendment. Where is it?

I dunno.   It is the markup version that the committee will
eventually report to the floor.   It is still "in conference" so they
may not have the amendments listed.

--spaf

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/cg.html.