Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: User's not following the rules

From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 17 Sep 2008 16:00:47 -0400
FWIW, judgments in cases like the one you describe are handled (here) by the relevant University office (e.g. Student 
Affairs, HR, Provost) because they have ceased to be "information security" in nature, and instead are an employee 
performance issue or a code-of-conduct question.
Ihe IT folks become suppliers to those offices of background data on the case.  We are not expected to judge nor impose 
sanctions of our own choosing.  I have found this to be a very proper arrangement.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James 
Farr '05'
Sent: Wednesday, September 17, 2008 3:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] User's not following the rules

We are currently evaluating what to do when a user does not follow the Information Security Policies adopted by the 
institution.

Currently our policies are handled on a case by case basis.  There are no set forth policies that clearly state if you 
provide your password to another user x,y,z, will happen.

Does anyone have a guideline they can share on what happens when a user does not follow the established rules.
Do you test users on their understanding of the security policies?
If so are penalties more sever if the user demonstrated knowledge in the area?
Do sanction change based on the number of times they do not follow the policy?

Thank you for your time
James Farr
Utica College
Information Security Officer
Previous By Date Next
Previous By Thread Next

Current thread: