Educause Security Discussion mailing list archives
Re: RIAA Moves Against College-Network Fileswapping
From: Wayne Wilson <wwilson () UMICH EDU>
Date: Fri, 4 Apr 2003 11:54:21 -0500
It's interesting that a court case would find non-compliance with policies to be sufficient for something akin to negligence. It has been the case with federal health regulations for quite some time that what compliance investigators are really interested in is two things: Did your policies reflect the necessary regulations/laws. Do you have evidence that you followed these policies. So it is indeed critical to have the proper policies in place as well as the administrative systems to enforce them. It is also critical to beware of having policies that are more comprehensive than are needed to be in compliance with applicable law, regulation and overall instituitonal principles. This kind of policy making activity is extremely time consuming and difficult to work on and need a cross representation from the entire instuition, not just one segment of it...... We have arguments over the above stated posistion whenever someone wants to create a rule or policy to address a specific situation that is troubling them at the moment. Reactive policy making can lead to very serious unintended consequences, but few are willing to put in the effort for good pro-active policy making. Wayne Wilson University of Michigan Medical School Information Systems Bruhn, Mark S. wrote:
This supports the notion that policies shouldn't be written unless they are necessary for specific situations, and unless the organization has the means and desire to enforce them. This is one of the reasons (though maybe not the most important) we don't have such a policy, and indeed this citation lends add'l credibility to how most of us operate in this area (reactive instead of proactive). M. -- Mark S. Bruhn, CISSP -----Original Message----- *From:* Robert Myles [mailto:mylesr () OHSU EDU] *Sent:* Friday, April 04, 2003 10:23 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] RIAA Moves Against College-Network Fileswapping There is precedence for the suit against the institution, case was settled for 1.5 million last year in the southwest against a company that had a policy against download of MP3's and P2P software, new of a P2P server on their system that they did not get around to shutting down, and were found a fault for not following their own policy. Lawsuits always go for the deep pockets!! Robert Myles, CISSP Information Security Officer Oregon Health & Science University
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Re: RIAA Moves Against College-Network Fileswapping, (continued)
- Re: RIAA Moves Against College-Network Fileswapping Michael Sinatra (Apr 03)
- Re: RIAA Moves Against College-Network Fileswapping Ken Shaurette (Apr 04)
- Re: RIAA Moves Against College-Network Fileswapping Schmidt, Eric W (Apr 04)
- Re: RIAA Moves Against College-Network Fileswapping Tracy Mitrano (Apr 04)
- Re: RIAA Moves Against College-Network Fileswapping Ken Shaurette (Apr 04)
- Re: RIAA Moves Against College-Network Fileswapping Robert Myles (Apr 04)
- Re: RIAA Moves Against College-Network Fileswapping Bruhn, Mark S. (Apr 04)
- Re: RIAA Moves Against College-Network Fileswapping Ken Shaurette (Apr 04)
- Re: RIAA Moves Against College-Network Fileswapping Bruhn, Mark S. (Apr 04)
- Re: RIAA Moves Against College-Network Fileswapping Ken Shaurette (Apr 04)
- Re: RIAA Moves Against College-Network Fileswapping Wayne Wilson (Apr 04)
- Re: RIAA Moves Against College-Network Fileswapping Ced Bennett (Apr 04)
- Re: RIAA Moves Against College-Network Fileswapping Allen Chang (Apr 04)
- Re: RIAA Moves Against College-Network Fileswapping Doug Sandford (Apr 04)
- Re: RIAA Moves Against College-Network Fileswapping Dan Updegrove (Apr 05)