Educause Security Discussion mailing list archives
Standards (was Re: SECURITY Listserv Instructions and ParticipationGu idelines)
From: Laurie Zirkle <lat () VT EDU>
Date: Mon, 8 Jul 2002 07:32:10 -0400
At 18:36 -0400 7/07/02, Randy Marchany wrote:Are you talking about S.1901.IS?I thought the draft that I read simply stated that the edu adhere to a standard and not necessarily a specific one.The amendment said that NIST had 6 months to come up with a set of standards that all contractors and agencies would have to meet.
S.1901.IS aside, what SANS was working towards was (and I quote) " proposed language for security improvements requirements for Federal grant recipients." The original effort generated something like 70% negative comments, and then morphed into a new approach that was supposed to parallel the Drug-Free Workplace legislation and regulations. I think the biggest stumbling block to all of this was not necessarily adhering to some standard, or even a consensus of what the minimum standard should be. I believe the problem was where would the funding for this come from and how well would the grantees accept this sort of restraint (for lack of a better word).
There are a number of "standards" like the SANS and CIS benchmarks that could be applied to most edus without serious impact.Note you said "most" and "serious". The problem with "standards" is they either don't take into account real needs and differences, or else they are so watered down as to be meaningless. The first set of CIS standards on Cisco routers, for instance, if mandated on our router would have DECREASED the security of our site!
I don't believe that they would be mandated as "this or nothing else". It would have been the MINUMUM that needed to be done. If your site/machine/ router was more tightened down, wonderful. The CIS and SANS benchmarks as they stand now (and I'm sure I'll be corrected if this is not so) were not geared towards the Gene Spaffords and Randy Marchanys of the world; they were geared towards those that were less knowlegeable about those type of issues. There were some of us here that had already went above and beyond those guidelines before they were ever published. Did that mean we should undo what we had done? I think not.
I know we've done that here at VA Tech. The problem has always been to get the upper administration to focus on security.VA Tech must have more money than other places. I'm sure it has more than most HBCUs and Tribal colleges. Then there is the economy. Several states are in recession and are enforcing mandatory furloughs for employees, including faculty. Others are taking money away from programs for the disabled, the unemployed and the indigent. All those states need is another set of unfunded mandates for the schools and universities. Think they are going to allocate more state money to make up for it? (Hint: rhymes with "hello")
Not. Our budget has been cut by 25 million dollars. This is in addition to all the previous years where funding for state universities was cut, sometimes quite drastically. There is a core group on campus that have repeatedly rehashed this whole argument and a lot of it's peripheral points since, oh, at least 1985 when we were first installing our campus network and hooking up to the Internet. Some of it we just went ahead and implemented on our own on the individual machines/networks that we run. Some of it didn't take effect until after we suffered major intrusions, although the groundwork was already laid by this core group.
Then there are the small private schools that are operating in the red. If they raise fees to cover new costs, many students can't get the financial aid to pay the difference (because it hasn't been increased). Thus, they lose students and fees both. Not good in bad economic times. The problem is that the people who want to make the rules don't sufficient knowledge of the impact they will have.
I think the bigger problem is how Internet connectivity has ballooned and how fast a lot of it has happened. Since there was no standard to begin with, no one wants to change how they do things. I'm sure that the Internet is not the only entity that has (or had) this type of growing pains or disagreements. And a lot of places (be it private, corporate, government, education or any others) just don't have the knowledge level, especially with everything becoming very "plug-and-play". There are still too many that are unaware of security measures that can be taken. And let's face it, *some* of this is just knee-jerk reactions to September 11 that is being undertaken by the wrong people for the wrong reasons. (Note I said *SOME*, not *ALL*.) I will now get off my soapbox and get back to my real job. -- Laurie ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/cg.html.
Current thread:
- Standards (was Re: SECURITY Listserv Instructions and ParticipationGu idelines) Laurie Zirkle (Jul 08)