Re: Role of Campus Police. Was: number of IT security staff

[Tracy Mitrano <tbm3 () CORNELL EDU>]

No flames, Antonio, this is a great discussion!

Discussion points:

1.      Separate Security Division or Marbled?
       The numbers of people dedicated to "security" group...did
that represent those who nonetheless do "security" as a function?
       Perhaps the question is: Is your institution addressing the
needs of IT security by dedicating a distinct division or group
within your IT organization, or is it weaving or marbling security
into your already existing divisions?
       My guess -- but I holding it out for discussion -- is that
self-consciousness about creating a security program is more
important than particular organization permutations: your thoughts
and reactions?

2.      Relationship with campus or other law enforcement?
       Troubleshooting for maintenance of network operations is
related to, but can and should be distinguished from, forensics.
       Forensics may incur legal liability (such as chain of custody
questions as well as "agency" questions, who is acting as an "agent"
of law enforcement, and may play a role in evidentiary challenges to
the degree that evidence could be suppressed if not properly handled
and preserved.)  Also, specific training may be involved for those
who "officially" do forensics, and such certification plays a role in
trial examination and cross-examination.
       These distinctions should not, however, be confused with the
practice of establishing excellent working relationships not only
with campus/ external law enforcement agencies and their collateral
organizations, such as Infraguard and even more particularly for
EDUCAUSE folks, REN-ISAC, but they should be carefully considered by
fellow divisions with the IT organization (policy, networking,
systems and operations, customer service...), cultivated (i.e. good
working relationships between and among the individuals who occupy
the offices), enjoyed with other campus offices (student/employee
discipline, university counsel, etc.) monitored and even checked by
and with privacy officers (usually, but not always, related to data
stewards).

3.      Law and/or Policy?
       Both issues that have animated the list service this morning
point to the importance of security programs generally and law and
policy considerations in particular.   Good policy requires
distinctions between law and policy.  It is a violation of federal
law to compromise a computer, for example; it is a violation of many
campus IT security policies to fail to maintain updated virus
protection -- but not illegal.  The floor of the law with respect to
IT security -- and the absence of regulation in this area means that
we have much education to do via policy and otherwise with our campus
populations.  As institutions of higher education we should teach
citizenship in physical as well as cyberspace, and can set a bar
higher through policy than the law has set for IT security in
American society at large.  It is an obligation we should shoulder
with pride, and I think we do a lot for our college and university
populations when we go that extra mile (or two or three) to educate
in this area.  IT and national security are also separable, and
should be, but they, too, are not unrelated; to teach about IT
security is, to some degree, to teach about the potential weaknesses
in national security and certainly about the value of an individual's
privacy vis a vis the government (surveillance questions) and private
intruders (hackers, identity thieves and black mailers) as well.

Let's keep that discussion going!

Tracy




> Well, an InfoSec Officer of another institution of the University System
> of Georgia was kind enough to call me and tell me that she disagrees on
> my position that Information Security should be handled by Campus
> Police. Her point being that Campus Police is not trained to deal with
> electronic crime and that information security is more than just Crime
> Prevention. I appreciate her reading my post, Thanks!!!!
>
> I would like to expand on my point and present my thoughts on the
> matter.
>
> I entirely agree on the issue of "not trained" or "not prepared", but
> that is not the point. The point is, they shall be "prepared". We can
> help them now, but all law enforcement activities belong to the police.
> I respect police work to the fullest, of course I do, but in all
> honesty, I do not want to be a police man. I want to be a Data Network
> Manager and continue my career in this field. Years ago the police did
> not have the training or equipment to identify/stop speeders, drug
> carriers, concealed weapons, etc. etc.
>
> I am of the firm idea that we need to separate the function of Data
> Network/Systems/IT/etc Management from the Security function, and this
> latter function shall belong to a law enforcement force.
>
> This way those of us who want to do IT will do it, and those who wish to
> pursue law enforcement, electronic or not, will.
> And also, will keep us IT guys more accountable, since we are not in
> charge of collecting/handling evidence.
>
> This may take a while to happen, but I really believe it is the way to
> go.
> Please feel free to flame me.
>
>
> Thanks.
>
> Antonio Quesada
> Network Manager, OIT
> Gwinnett University Center
> 1000 University Center Lane Suite B3800
> Lawrenceville, GA 30043
> USA
> 678-407-5093
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.