Re: Institutional Security Policies

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

At 8:47 -0700 8/26/02, Jere Retzer wrote:
> Content-Type: text/html
> Content-Description: HTML
>
> To what extent should you publicize these policies?

Policies should be public.  They are a statement of the values of the
organization.   People can't be expected to make a good faith effort
to align with the policies if they don't know them!

Standards should also be public at least within the organization.
Again, it is not possible to meet standards unless you are aware of
them.  Furthermore, you need to know them to resolve conflicts and
audit performance.

Guidelines can be kept private or even unpublished so long as they
are understood.

Think of it as in US Federal government.   The Constitution is a
statement of the principles on which the country is founded.  It lays
out rights and responsibilities, and it defines players and their
roles.  It isn't very long (a few pages), and it is seldom altered.

The US Code (Federal Law) comes in multiple "titles" each covering a
particular area of need.   It is written to be specific and have
performance measures.   It is public, although few people read all of
it.  It is considerably longer than the "policy" and only a small
portion at a time gets altered based on need and circumstances.

Operational guidelines and rules are in place within different
agencies and branches of goverment.   The folks in the USDA don't
really care about the operational rules for the Navy SEALS, and in
fact, those rules are classified and not public.    However, they all
are held accountable to law, and ultimately, to the Constitution.

--spaf

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.