Educause Security Discussion mailing list archives

Re: Making the case for security policies and personnel

From: Tracy Mitrano <tbm3 () CORNELL EDU>
Date: Fri, 7 Feb 2003 20:17:32 -0500

Dorette,

As alternative routes, may I inquire: What kind of policy
process/formulation/issuance structures do you have at your school?.  As a
policy advisor I may be prejudiced to think that policy is often the
driving force behind comprehensive change in this or any other significant
administrative area.  Whether or not you have the explicit encouragement of
the highest levels of the administration, you and your organization can
move forward with policy; and if such a process is not clearly defined or
instituted at UNK then this might be opportunity to get it going.

Policy is worthless unless there is the requisite buy-in with a critical
mass of IT personnel and/or distributive supportive units throughout
campus, IT or otherwise.  If you are starting from scratch, then perhaps
setting up vetting committees with representation from around campus to
share and learn from each other.  There is some information about how we
have worked on this project at Cornell at
http://www.cit.cornell.edu/oit/policy/drafts/.  In the next week or so we
should have four security policies on offer: Security of Information
Technology Resources; Network Registry; Security Incidents Reporting, and
Appropriate Use of Passwords.

Of course, one size never fits all, but I would encourage efforts to
proceed with what is appropriate for security policies and practices
irrespective of whether the top central administration has fails to see the
leadership light -- you could model it for them.

Good fortune!

Tracy Mitrano

 05:45 PM 2/7/2003 -0600, you wrote:

Mark,
I heard you speak at Net@edu about making the case for security
policies and personnel on your campus.  It was helpful information.  You
talked about the importance of speaking in CEO or cabinet talk rather
than technical talk.  You also mentioned that you may have a slide show
you used on your campus.
I'm having difficulty getting traction with the administration on this
issue so I'm looking for other approaches.  I'd sure appreciate any
examples, models you would be willing to share.
Thanks, Mark.
Best wishes,
Dorette

Dorette Kerian, Director, ITSS
Information Technology Systems and Services
University of North Dakota and Higher Education Computer Network
dorette_kerian () mail und nodak edu
701.777-3880, fax 701.777-3978

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/memdir/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.

Current thread:

Making the case for security policies and personnel Dorette Kerian (Feb 07)
- <Possible follow-ups>
- Re: Making the case for security policies and personnel Dorette Kerian (Feb 07)
- Re: Making the case for security policies and personnel Jim Wilcox (Feb 07)
- Re: Making the case for security policies and personnel Tracy Mitrano (Feb 07)
- Re: Making the case for security policies and personnel Jim Moore (Feb 10)
- Re: Making the case for security policies and personnel Bruhn, Mark S. (Feb 13)
- Re: Making the case for security policies and personnel Ced Bennett (Feb 14)
- Re: Making the case for security policies and personnel Bruhn, Mark S. (Feb 14)
- Re: Making the case for security policies and personnel James Conley (Feb 14)
- Re: Making the case for security policies and personnel Ced Bennett (Feb 18)
- Re: Making the case for security policies and personnel Scott Bradner (Feb 19)