Re: Institutional Security Policies

[Jere Retzer <retzerj () OHSU EDU>]

OK, I think I agree with you.

I think the motherhood & apple pie part is good for the public server and in general anything that you require 
authorized users to follow/comply with should be on an internal web server.  I'm not sure that I would advertise server 
backup frequency as it seems that this might be open to some sort of gaming or exploit -- more likely in conjunction 
with a lawsuit than a hack but who knows. Probably need to consider privacy policy and policy to prevent abusive 
behavior, and asert your institutional right to monitor (if you indeed claim the right to monitor) on the public side 
as well as notice that your network is intended for the benefit of your institution and that any unapproved access is 
considered trespass.  Include intitutional policy with respect to copyrighted materials on the public side. Publish any 
restrictions on user-operated servers/services in the internal site.  Do not publish network architecture, particularly 
defensive systems.

Out of curiousity, do you recommend retaining backups of e-mail? If so, for how long? I've heard the lawyers argue 
several different directions on this question.


> > > spaf () CERIAS PURDUE EDU 08/26/02 08:59AM >>>
At 8:47 -0700 8/26/02, Jere Retzer wrote:
> Content-Type: text/html
> Content-Description: HTML
>
> To what extent should you publicize these policies?

Policies should be public.  They are a statement of the values of the
organization.   People can't be expected to make a good faith effort
to align with the policies if they don't know them!

Standards should also be public at least within the organization.
Again, it is not possible to meet standards unless you are aware of
them.  Furthermore, you need to know them to resolve conflicts and
audit performance.

Guidelines can be kept private or even unpublished so long as they
are understood.

Think of it as in US Federal government.   The Constitution is a
statement of the principles on which the country is founded.  It lays
out rights and responsibilities, and it defines players and their
roles.  It isn't very long (a few pages), and it is seldom altered.

The US Code (Federal Law) comes in multiple "titles" each covering a
particular area of need.   It is written to be specific and have
performance measures.   It is public, although few people read all of
it.  It is considerably longer than the "policy" and only a small
portion at a time gets altered based on need and circumstances.

Operational guidelines and rules are in place within different
agencies and branches of goverment.   The folks in the USDA don't
really care about the operational rules for the Navy SEALS, and in
fact, those rules are classified and not public.    However, they all
are held accountable to law, and ultimately, to the Constitution.

--spaf

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.