Standards (was Re: SECURITY Listserv Instructions and ParticipationGu idelines)

[Laurie Zirkle <lat () VT EDU>]

> At 18:36 -0400 7/07/02, Randy Marchany wrote:
> > Are you talking about S.1901.IS?
>
> > I thought the draft that I read simply stated that the edu adhere to a
> > standard and not necessarily a specific one.
>
> The amendment said that NIST had 6 months to come up with a set of
> standards that all contractors and agencies would have to meet.

S.1901.IS aside, what SANS was working towards was (and I quote)
" proposed language for security improvements requirements for Federal
grant recipients."  The original effort generated something like
70% negative comments, and then morphed into a new approach that was
supposed to parallel the Drug-Free Workplace legislation and regulations.

I think the biggest stumbling block to all of this was not necessarily
adhering to some standard, or even a consensus of what the minimum
standard should be.  I believe the problem was where would the funding
for this come from and how well would the grantees accept this sort of
restraint (for lack of a better word).

> > There are a number of "standards"
> > like the SANS and CIS benchmarks that could be applied to most edus without
> > serious impact.
>
> Note you said "most" and "serious".   The problem with "standards" is
> they either don't take into account real needs and differences, or
> else they are so watered down as to be meaningless.   The first set
> of CIS standards on Cisco routers, for instance, if mandated on our
> router would have DECREASED the security of our site!

I don't believe that they would be mandated as "this or nothing else".
It would have been the MINUMUM that needed to be done.  If your site/machine/
router was more tightened down, wonderful.  The CIS and SANS benchmarks
as they stand now (and I'm sure I'll be corrected if this is not so)
were not geared towards the Gene Spaffords and Randy Marchanys of the
world; they were geared towards those that were less knowlegeable about
those type of issues.  There were some of us here that had already went
above and beyond those guidelines before they were ever published.  Did
that mean we should undo what we had done?  I think not.

> > I know we've done that here at VA Tech. The problem has always
> > been to get the upper administration to focus on security.
>
> VA  Tech must have more money than other places.  I'm sure it has
> more than most HBCUs and Tribal colleges.   Then there is the
> economy.  Several states are in recession and are enforcing mandatory
> furloughs for employees, including faculty.   Others are taking money
> away from programs for the disabled, the unemployed and the indigent.
> All those states need is another set of unfunded mandates for the
> schools and universities.  Think they are going to allocate more
> state money to make up for it?   (Hint:  rhymes with "hello")

Not.  Our budget has been cut by 25 million dollars.  This is in addition
to all the previous years where funding for state universities was cut,
sometimes quite drastically.

There is a core group on campus that have repeatedly rehashed this whole
argument and a lot of it's peripheral points since, oh, at least 1985 when we
were first installing our campus network and hooking up to the Internet.  Some
of it we just went ahead and implemented on our own on the individual
machines/networks that we run.  Some of it didn't take effect until
after we suffered major intrusions, although the groundwork was already
laid by this core group.

> Then there are the small private schools that are operating in the
> red.  If they raise fees to cover new costs, many students can't get
> the financial aid to pay the difference (because it hasn't been
> increased).  Thus, they lose students and fees both.  Not good in bad
> economic times.
>
> The problem is that the people who want to make the rules don't
> sufficient knowledge of the impact they will have.

I think the bigger problem is how Internet connectivity has ballooned
and how fast a lot of it has happened.  Since there was no standard
to begin with, no one wants to change how they do things.  I'm sure
that the Internet is not the only entity that has (or had) this type of
growing pains or disagreements.  And a lot of places (be it private,
corporate, government, education or any others) just don't have the
knowledge level, especially with everything becoming very "plug-and-play".
There are still too many that are unaware of security measures that
can be taken. And let's face it, *some* of this is just knee-jerk reactions
to September 11 that is being undertaken by the wrong people for the
wrong reasons.  (Note I said *SOME*, not *ALL*.)

I will now get off my soapbox and get back to my real job.

--
Laurie

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/cg.html.