Educause Security Discussion mailing list archives
Re: Institutional Security Policies
From: Jere Retzer <retzerj () OHSU EDU>
Date: Mon, 26 Aug 2002 09:18:04 -0700
OK, I think I agree with you. I think the motherhood & apple pie part is good for the public server and in general anything that you require authorized users to follow/comply with should be on an internal web server. I'm not sure that I would advertise server backup frequency as it seems that this might be open to some sort of gaming or exploit -- more likely in conjunction with a lawsuit than a hack but who knows. Probably need to consider privacy policy and policy to prevent abusive behavior, and asert your institutional right to monitor (if you indeed claim the right to monitor) on the public side as well as notice that your network is intended for the benefit of your institution and that any unapproved access is considered trespass. Include intitutional policy with respect to copyrighted materials on the public side. Publish any restrictions on user-operated servers/services in the internal site. Do not publish network architecture, particularly defensive systems. Out of curiousity, do you recommend retaining backups of e-mail? If so, for how long? I've heard the lawyers argue several different directions on this question.
spaf () CERIAS PURDUE EDU 08/26/02 08:59AM >>>
At 8:47 -0700 8/26/02, Jere Retzer wrote:
Content-Type: text/html Content-Description: HTML To what extent should you publicize these policies?
Policies should be public. They are a statement of the values of the organization. People can't be expected to make a good faith effort to align with the policies if they don't know them! Standards should also be public at least within the organization. Again, it is not possible to meet standards unless you are aware of them. Furthermore, you need to know them to resolve conflicts and audit performance. Guidelines can be kept private or even unpublished so long as they are understood. Think of it as in US Federal government. The Constitution is a statement of the principles on which the country is founded. It lays out rights and responsibilities, and it defines players and their roles. It isn't very long (a few pages), and it is seldom altered. The US Code (Federal Law) comes in multiple "titles" each covering a particular area of need. It is written to be specific and have performance measures. It is public, although few people read all of it. It is considerably longer than the "policy" and only a small portion at a time gets altered based on need and circumstances. Operational guidelines and rules are in place within different agencies and branches of goverment. The folks in the USDA don't really care about the operational rules for the Navy SEALS, and in fact, those rules are classified and not public. However, they all are held accountable to law, and ultimately, to the Constitution. --spaf ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Institutional Security Policies Ced Bennett (Aug 26)
- <Possible follow-ups>
- Re: Institutional Security Policies Gene Spafford (Aug 26)
- Re: Institutional Security Policies Jere Retzer (Aug 26)
- Re: Institutional Security Policies Doug Dunwoody (Aug 26)
- Re: Institutional Security Policies Gene Spafford (Aug 26)
- Re: Institutional Security Policies Bruhn, Mark S. (Aug 26)
- Re: Institutional Security Policies Jere Retzer (Aug 26)
- Re: Institutional Security Policies Gene Spafford (Aug 26)
- Re: Institutional Security Policies Jere Retzer (Aug 26)
- Re: Institutional Security Policies Alex Campoe (Aug 26)
- Institutional Security Policies Ced Bennett (Aug 28)