Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Katie Weaver <katie.weaver () AWAREITY COM>
Date: Thu, 18 Mar 2010 11:56:19 -0500
Interesting topic and responses. I thought I would pass along this article that offers some good guidance on policies and enforcement and may help address some of the issues and concerns discussed in this string. <http://www.workforce.com/section/03/feature/27/02/75/index.html> http://www.workforce.com/section/03/feature/27/02/75/index.html Employers have rights and obligations (legal, reputation, regulatory, etc.) to protect their information, their property, their reputation, their employees and their management. Thanks! Katie Weaver Awareity <http://www.awareity.com/> www.awareity.com Follow us on Twitter: <http://www.twitter.com/awareity> www.twitter.com/awareity Lessons Learned Blog: <http://blog.awareity.com/> www.blog.awareity.com InfoSecurity---Awareity-Log The information in this electronic mail is intended for the named recipients only. It may contain privileged and confidential matter. If you have received this electronic mail in error, please notify the sender immediately by replying to this electronic mail or by contacting me directly at 402.730.0077. Thank you. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Patrick Ouellette Sent: Wednesday, March 17, 2010 3:45 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Are users right in rejecting security advice? But there has to be a known/viable buy-in from management - we've got a situation here where the policy is so lose you could drive a Mac truck through it sideways and not hit a bloody thing because of lack of support over time from Management. It goes further than that, but it contributed to it badly. And, if on top of that the consequences are illogical, impossible to enforce or known to never have been applied, the whole document is worth less than the paper it's printed on. Case of perception of "well, why not - the likelyhood something will be done is obviously low". I constantly amazes me what people think they can get away with (or at least try) until they get that smack-on-the-hand reaction. On the other hand, I completely agree with the "make sense" part - for users to buy into it, it has to be clear where the line is and what the limits are. But even with education, training and repetition, we all know there are some "users" who will do what they want regardless. So one suggestion that was made from an external source was to have the "New Employee Guidance" course have that info it, and have a sign-in list. That way, when they say "but I didn't know", you take out the sheet and can say "gee, it was covered in the course you took on x/y/x. I guess you didn't take it seriously and/or were sleeping that day?" J Sincerely, Patrick Ouellette Algonquin College - School of Advanced Technology Program Coordinator: Computer Systems Technician & Technology - Networking / Security Programs Professor - Computer Studies Department From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Nunnally Sent: March-17-10 4:23 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Are users right in rejecting security advice? Exactly, Eric! Students are one thing, but faculty and staff are EMPLOYEES. They are no more "right" to ignore security recommendations, than they are to ignore any other corporate policies. Are they "right" to ignore personnel policies or parking regulations because they don't see any reason for them? I think the point is that we will see better results from our efforts by making policies that make sense and are easy for end users to buy into. But regardless of what those policies might be, employees are should comply or appeal, not ignore. John N. On Wed, Mar 17, 2010 at 1:51 PM, Eric Case <ecase () email arizona edu> wrote:
I agree completely that it's more useful to communicate risks than to have rigid policies. That allows the users to put in compensating controls that fit their needs.
Is it then ok if the user accepts more risk than the institution is willing to accept? -Eric Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcase _____ Spam <about:blank> Not spam <about:blank> Forget previous vote <about:blank>
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Ken Connelly (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Steven Alexander (Mar 17)
- Re: Are users right in rejecting security advice? Justin Azoff (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Dennis Meharchand (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Katie Weaver (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 18)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 18)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 18)
- FW: Are users right in rejecting security advice? Lazarus, Carolann (Mar 19)
- Re: Are users right in rejecting security advice? Eric Jernigan (Mar 22)
(Thread continues...)