Educause Security Discussion mailing list archives
Re: computer use policy
From: Ken Shaurette <Ken.Shaurette () OMNITECHCORP COM>
Date: Fri, 16 May 2003 07:40:56 -0500
I concur with Gary, by creating the policy with more broad statements you won't fall into the common mistake of incorporating procedures right into the policy. Use separate documentation, a separate manual for procedures and/or standards that can be referenced. It also keeps the policy more concise and readable. Here is what might be a sample: Computer resources are intended for school use only. It is recognized that on occasion personal use is acceptable and is permissible if the use does not: (1) Interfere with the User's work performance. (2) Interfere with any other User's work performance. (3) Unduly impact the operation of the technology resources or negatively impact university activity. (4) Consume more than a trivial amount of resources that would otherwise be used for educational or university business purposes. 5) Violate any other provision in this Policy or any other policy, guideline, or standards that has been established for university computing resources. Refere to <list where>. This is targeted more at personal versus business use, but could be modified to handle your situation. Ken M. Shaurette CISSP, CISA, CISM, IAM Information Security Solutions Manager Omni Tech Corporation, www.omnitechcorp.com (262) 523-3300 x486 -----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Thursday, May 15, 2003 1:57 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] computer use policy John Isenhour wrote:
I've always found that policy documents need to stay a bit nebulous rather than specific in order to remain effective, so using "disruptive" or "illegal" is better than "KaZaa".
One model that we've explored is to have a policy remain in its natural nebulous state <grin> but reference a "standard" that spells out specifics. Ergo, policy may mention a responsibility to follow university software standards while the standard itself is the proverbial living document that specifically lists approved or banned software packages according to issues and technologies of the day.
Academic policy is fundamentally different from some business or military type policy in that ours is "you can do anything but this" where as the other is "you can only do this and nothing else".
With the "you can do anything but this" strategy, one can still accomplish quite a bit if the "this" is defined in general terms rather than in specifics. -- Gary Flynn Security Engineer - Technical Services James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- computer use policy John Isenhour (May 15)
- <Possible follow-ups>
- Re: computer use policy Gary Flynn (May 15)
- Re: computer use policy Ken Shaurette (May 16)
- Re: computer use policy Randy Marchany (May 16)
- Re: computer use policy Bruhn, Mark S. (May 16)