Educause Security Discussion mailing list archives
Re: Role of Campus Police. Was: number of IT security staff
From: Tracy Mitrano <tbm3 () CORNELL EDU>
Date: Mon, 31 Jan 2005 14:13:58 -0500
No flames, Antonio, this is a great discussion! Discussion points: 1. Separate Security Division or Marbled? The numbers of people dedicated to "security" group...did that represent those who nonetheless do "security" as a function? Perhaps the question is: Is your institution addressing the needs of IT security by dedicating a distinct division or group within your IT organization, or is it weaving or marbling security into your already existing divisions? My guess -- but I holding it out for discussion -- is that self-consciousness about creating a security program is more important than particular organization permutations: your thoughts and reactions? 2. Relationship with campus or other law enforcement? Troubleshooting for maintenance of network operations is related to, but can and should be distinguished from, forensics. Forensics may incur legal liability (such as chain of custody questions as well as "agency" questions, who is acting as an "agent" of law enforcement, and may play a role in evidentiary challenges to the degree that evidence could be suppressed if not properly handled and preserved.) Also, specific training may be involved for those who "officially" do forensics, and such certification plays a role in trial examination and cross-examination. These distinctions should not, however, be confused with the practice of establishing excellent working relationships not only with campus/ external law enforcement agencies and their collateral organizations, such as Infraguard and even more particularly for EDUCAUSE folks, REN-ISAC, but they should be carefully considered by fellow divisions with the IT organization (policy, networking, systems and operations, customer service...), cultivated (i.e. good working relationships between and among the individuals who occupy the offices), enjoyed with other campus offices (student/employee discipline, university counsel, etc.) monitored and even checked by and with privacy officers (usually, but not always, related to data stewards). 3. Law and/or Policy? Both issues that have animated the list service this morning point to the importance of security programs generally and law and policy considerations in particular. Good policy requires distinctions between law and policy. It is a violation of federal law to compromise a computer, for example; it is a violation of many campus IT security policies to fail to maintain updated virus protection -- but not illegal. The floor of the law with respect to IT security -- and the absence of regulation in this area means that we have much education to do via policy and otherwise with our campus populations. As institutions of higher education we should teach citizenship in physical as well as cyberspace, and can set a bar higher through policy than the law has set for IT security in American society at large. It is an obligation we should shoulder with pride, and I think we do a lot for our college and university populations when we go that extra mile (or two or three) to educate in this area. IT and national security are also separable, and should be, but they, too, are not unrelated; to teach about IT security is, to some degree, to teach about the potential weaknesses in national security and certainly about the value of an individual's privacy vis a vis the government (surveillance questions) and private intruders (hackers, identity thieves and black mailers) as well. Let's keep that discussion going! Tracy
Well, an InfoSec Officer of another institution of the University System of Georgia was kind enough to call me and tell me that she disagrees on my position that Information Security should be handled by Campus Police. Her point being that Campus Police is not trained to deal with electronic crime and that information security is more than just Crime Prevention. I appreciate her reading my post, Thanks!!!! I would like to expand on my point and present my thoughts on the matter. I entirely agree on the issue of "not trained" or "not prepared", but that is not the point. The point is, they shall be "prepared". We can help them now, but all law enforcement activities belong to the police. I respect police work to the fullest, of course I do, but in all honesty, I do not want to be a police man. I want to be a Data Network Manager and continue my career in this field. Years ago the police did not have the training or equipment to identify/stop speeders, drug carriers, concealed weapons, etc. etc. I am of the firm idea that we need to separate the function of Data Network/Systems/IT/etc Management from the Security function, and this latter function shall belong to a law enforcement force. This way those of us who want to do IT will do it, and those who wish to pursue law enforcement, electronic or not, will. And also, will keep us IT guys more accountable, since we are not in charge of collecting/handling evidence. This may take a while to happen, but I really believe it is the way to go. Please feel free to flame me. Thanks. Antonio Quesada Network Manager, OIT Gwinnett University Center 1000 University Center Lane Suite B3800 Lawrenceville, GA 30043 USA 678-407-5093 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Role of Campus Police. Was: number of IT security staff Antonio Quesada (Jan 31)
- <Possible follow-ups>
- Re: Role of Campus Police. Was: number of IT security staff Theresa M Rowe (Jan 31)
- Re: Role of Campus Police. Was: number of IT security staff Sadler, Connie (Jan 31)
- Re: Role of Campus Police. Was: number of IT security staff Samuel Liles (Jan 31)
- Re: Role of Campus Police. Was: number of IT security staff Piscitello, Frank (Jan 31)
- Re: Role of Campus Police. Was: number of IT security staff Jon E. Mitchiner (Jan 31)
- Re: Role of Campus Police. Was: number of IT security staff Tracy Mitrano (Jan 31)
- Re: Role of Campus Police. Was: number of IT security staff Steven Alexander (Jan 31)
- Re: Role of Campus Police. Was: number of IT security staff Penn, Blake (Jan 31)
- Re: Role of Campus Police. Was: number of IT security staff Brian Kaye (Jan 31)
- Re: Role of Campus Police. Was: number of IT security staff Jon E. Mitchiner (Jan 31)
- Re: Role of Campus Police. Was: number of IT security staff Penn, Blake (Jan 31)
- Re: Role of Campus Police. Was: number of IT security staff Alec Yasinsac (Jan 31)
- Re: Role of Campus Police. Was: number of IT security staff James Riden (Jan 31)
- Re: Role of Campus Police. Was: number of IT security staff Rodney Petersen (Feb 01)
- Re: Role of Campus Police. Was: number of IT security staff Georgia T. Killcrece (Feb 02)
- Re: Role of Campus Police. Was: number of IT security staff John Lupton (Feb 04)
(Thread continues...)