Educause Security Discussion mailing list archives
Re: Institutional Security Policies
From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Mon, 26 Aug 2002 10:59:47 -0500
At 8:47 -0700 8/26/02, Jere Retzer wrote:
Content-Type: text/html Content-Description: HTML To what extent should you publicize these policies?
Policies should be public. They are a statement of the values of the organization. People can't be expected to make a good faith effort to align with the policies if they don't know them! Standards should also be public at least within the organization. Again, it is not possible to meet standards unless you are aware of them. Furthermore, you need to know them to resolve conflicts and audit performance. Guidelines can be kept private or even unpublished so long as they are understood. Think of it as in US Federal government. The Constitution is a statement of the principles on which the country is founded. It lays out rights and responsibilities, and it defines players and their roles. It isn't very long (a few pages), and it is seldom altered. The US Code (Federal Law) comes in multiple "titles" each covering a particular area of need. It is written to be specific and have performance measures. It is public, although few people read all of it. It is considerably longer than the "policy" and only a small portion at a time gets altered based on need and circumstances. Operational guidelines and rules are in place within different agencies and branches of goverment. The folks in the USDA don't really care about the operational rules for the Navy SEALS, and in fact, those rules are classified and not public. However, they all are held accountable to law, and ultimately, to the Constitution. --spaf ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Institutional Security Policies Ced Bennett (Aug 26)
- <Possible follow-ups>
- Re: Institutional Security Policies Gene Spafford (Aug 26)
- Re: Institutional Security Policies Jere Retzer (Aug 26)
- Re: Institutional Security Policies Doug Dunwoody (Aug 26)
- Re: Institutional Security Policies Gene Spafford (Aug 26)
- Re: Institutional Security Policies Bruhn, Mark S. (Aug 26)
- Re: Institutional Security Policies Jere Retzer (Aug 26)
- Re: Institutional Security Policies Gene Spafford (Aug 26)
- Re: Institutional Security Policies Jere Retzer (Aug 26)
- Re: Institutional Security Policies Alex Campoe (Aug 26)
- Institutional Security Policies Ced Bennett (Aug 28)