Educause Security Discussion mailing list archives
Re: computer use policy
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Fri, 16 May 2003 09:39:38 -0500
The aspect of policy that Randy points out must not be minimized. Keep the policy statements very simple, and use standards/procedures/guidelines (probably that ordering is commensurate with the amount of approval or buy-in that would be required for each style) to support them. Standards are imposed and there is no real leeway; a guideline is essentially a suggestion as to best practice. Auditors will say they can audit against policies and standards, and procedures in some case, but not very well against guidelines, so that may have an effect on what you call things. M. -- Mark S. Bruhn, CISSP Chief IT Security and Policy Officer Indiana University 812-855-0326 -----Original Message----- From: Randy Marchany [mailto:marchany () VT EDU] Sent: Friday, May 16, 2003 8:18 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] computer use policy Never include technology in your policy. Stealing is stealing whether in the cyber world or the real world. We have the following policy structure: 1. The official AUP was approved by our Board of Visitors (your Board of Regents, etc.). It has a link to Acceptable Use Guidelines (AUG) that contain the technology specific items. 2. If we change a word in the AUP, our BOV has to approve it. Since they meet a couple of times a year, it'll take a while to get the change approved. 3. The AUG doesn't require BOV approval. We can change it as needed, when needed. 4. Both docs are short (1 page). They've been in effect since 1990 and have held up well. You can see them at http://security.vt.edu and click on the Acceptable Use link on the right side of the page. Randy Marchany VA Tech ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- computer use policy John Isenhour (May 15)
- <Possible follow-ups>
- Re: computer use policy Gary Flynn (May 15)
- Re: computer use policy Ken Shaurette (May 16)
- Re: computer use policy Randy Marchany (May 16)
- Re: computer use policy Bruhn, Mark S. (May 16)