Institutional Security Policies

[Ced Bennett <Ced.Bennett () STANFORD EDU>]

Colleagues:

I'm (very early) in the process of re-writing Stanford's institutional
information security policies.  Of course, I've been looking at
colleague institution web sites searching for different approaches to
the challenge.  I've now got a couple of questions - one at each end of
the spectrum - regarding an approach.

I'm looking for an overarching statement of information security from
which everything else derives.  I would be the "motherhood and apple
pie" portion of the policies and would contain some basic principles
that most would agree with as well.  Do any of you have such statements
that you're willing to share (or can you point me at the web page that
already contains such statements?

At the other end of the spectrum, at what point do you continue to write
policies (or standards and practices) that are specific and detailed
(which protocols are ok and not, what are required practices, etc) and
where do you publish those.  And how much institutional policy-writing
process do you require for those more specific policies.  Almost all of
us publish a Usage Policy which seems to be aimed primarily at
individual users of the network and computers.  But where do you put the
details about how large, institutional systems must behave (I can easily
imagine that these rules are not published to the world via the www).

I'm posting this question to both the security list and the CPL list.
My apologies to those of you who use both.

Thank you,
Ced Bennett

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cedric Bennett          Ph:   650/723-0728      Fax:  650/723-2011
Director of Information Security Services
  Information Technology Systems & Services
Stanford University
Polya Hall, Room 103
255 Panama Street
Stanford, CA 94305-3055          Ced.Bennett () Stanford edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.