Re: computer use policy

[Ken Shaurette <Ken.Shaurette () OMNITECHCORP COM>]

I concur with Gary, by creating the policy with more broad statements
you won't fall into the common mistake of incorporating procedures right
into the policy.  Use separate documentation, a separate manual for
procedures and/or standards that can be referenced.  It also keeps the
policy more concise and readable. 

Here is what might be a sample: 

Computer resources are intended for school use only.  It is recognized
that on occasion personal use is acceptable and is permissible if the
use does not: 
(1) Interfere with the User's work performance. 
(2) Interfere with any other User's work performance.
(3) Unduly impact the operation of the technology resources or
negatively impact university activity.
(4) Consume more than a trivial amount of resources that would otherwise
be used for educational or university business purposes.
5) Violate any other provision in this Policy or any other policy,
guideline, or standards that has been established for university
computing resources.  Refere to <list where>.

This is targeted more at personal versus business use, but could be
modified to handle your situation.

Ken M. Shaurette
CISSP, CISA, CISM, IAM
Information Security Solutions Manager
Omni Tech Corporation, www.omnitechcorp.com
(262) 523-3300 x486



-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU] 
Sent: Thursday, May 15, 2003 1:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] computer use policy


John Isenhour wrote:

> I've always found that policy documents need to stay a bit nebulous 
> rather than specific in order to remain effective, so using 
> "disruptive" or "illegal" is better than "KaZaa".

One model that we've explored is to have a policy remain in
its natural nebulous state <grin> but reference a "standard" that spells
out specifics.

Ergo, policy may mention a responsibility to follow university software
standards while the standard itself is the proverbial living document
that specifically lists approved or banned software packages according
to issues and technologies of the day.

> Academic policy is fundamentally different from some business or 
> military type policy in that ours is "you can do anything but this" 
> where as the other is "you can only do this and nothing else".

With the "you can do anything but this" strategy, one can still
accomplish quite a bit if the "this" is defined in general terms rather
than in specifics.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.