Educause Security Discussion mailing list archives
Re: Logon Message
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Thu, 7 Aug 2003 09:02:16 -0500
So, you have a single login process (or maybe a couple of login processes under your control), that everyone MUST use before they connect to any other systems or applications on campus? I guess I'm not clear on what you mean by "perimeter points of login." -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Steven R. Smith [mailto:Steven.R.Smith () Hofstra edu] Sent: Thursday, August 07, 2003 8:55 AM To: Bruhn, Mark S.; SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Logon Message That's exactly my concern. We also have a diverse system environment here, and because of the different communities we serve, there is much debate as to how to present the message depending on the user's relationship with the University. Our position (and is supported by Counsel) is that if we post the message at the perimeter points of login we are protecting all systems accessed after that point. Our Login message also states this. My feeling is that at least we're doing something, and not saying "welcome". Does this makes sense? I'd love to hear other points of view, and any real life experiences would help. I'll also relay your comment to our Counsel for consideration. Thanks, Steve. Steven R. Smith IS Security Specialist Hofstra University 516.463.3944
mbruhn () INDIANA EDU 08/06/03 06:44PM >>>
Clearly, I'm a little behind (no jokes, please :) Many believe that if this can't be done consistently -- that is, such that anyone and everyone who connects to any service on your network can see this same warning -- you shouldn't do it at all. The legal theory is that if it isn't displayed consistently, a case could be made (in court, by an alleged intruder's lawyer, for example) that a system without it doesn't have the same level of privacy as those that do. If you can't do it this way -- we can't in our environment, because of the diversity of systems and applications -- you should ask your Counsel to think about it from this angle as well, if they haven't already done. M. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Steven R. Smith [mailto:Steven.R.Smith () HOFSTRA EDU] Sent: Friday, August 01, 2003 1:52 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Logon Message Greetings all! We are in the process of implementing a logon message that will appear each time a user logs on to our network. The message consists of two parts: Security, which essentially says these resources are for authorized users, all activity may be monitored, and if you are not authorized, please leave; Privacy, which essentially says the systems you are accessing may contain information that is protected by Federal and State law, so you must take all precautions to protect it. Clearly that's paraphrased, and obviously this is not a new idea. The complete message has been approved by our Chief Counsel. I would like this message to be consistent through out the community (admin, faculty, and students) and to be presented in a consistent format. We were leaning toward a pop-up which appears after authentication, and requires the user to click ok to continue to login. However, there is some discussion that it should presented to students through a different venue that will not be a pop-up. What have other institutions done regarding this matter? Any thoughts would be much appreciated. Steve. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Logon Message Steven R. Smith (Aug 01)
- <Possible follow-ups>
- Re: Logon Message Michelle Mueller (Aug 01)
- Re: Logon Message Gary Dobbins (Aug 01)
- Re: Logon Message Bruhn, Mark S. (Aug 06)
- Re: Logon Message Steven R. Smith (Aug 07)
- Re: Logon Message Bruhn, Mark S. (Aug 07)
- Re: Logon Message Schmidt, Eric W (Aug 07)
- Re: Logon Message Randy Marchany (Aug 07)
- Re: Logon Message Jim Moore (Aug 07)
- Re: Logon Message John Stauffacher (Aug 07)
- Re: Logon Message Bruhn, Mark S. (Aug 07)
- Re: Logon Message Jere Retzer (Aug 07)
- Re: Logon Message Jim Moore (Aug 07)
- Re: Logon Message Steven R. Smith (Aug 18)
- Re: Logon Message Steven R. Smith (Aug 27)