Educause Security Discussion mailing list archives

Re: computer use policy

From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Fri, 16 May 2003 09:39:38 -0500

The aspect of policy that Randy points out must not be minimized.  Keep
the policy statements very simple, and use
standards/procedures/guidelines (probably that ordering is commensurate
with the amount of approval or buy-in that would be required for each
style) to support them.  Standards are imposed and there is no real
leeway; a guideline is essentially a suggestion as to best practice.
Auditors will say they can audit against policies and standards, and
procedures in some case, but not very well against guidelines, so that
may have an effect on what you call things. 

M.


--
Mark S. Bruhn, CISSP
Chief IT Security and Policy Officer
Indiana University
812-855-0326


-----Original Message-----
From: Randy Marchany [mailto:marchany () VT EDU] 
Sent: Friday, May 16, 2003 8:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] computer use policy


Never include technology in your policy. Stealing is stealing whether in
the cyber world or the real world. We have the following policy
structure:

1. The official AUP was approved by our Board of Visitors (your Board of
Regents, etc.). It has a link to Acceptable Use Guidelines (AUG) that
contain the technology specific items.

2. If we change a word in the AUP, our BOV has to approve it. Since they
meet a couple of times a year, it'll take a while to get the change
approved.

3. The AUG doesn't require BOV approval. We can change it as needed,
when needed.

4. Both docs are short (1 page). They've been in effect since 1990 and
have held up well. You can see them at http://security.vt.edu and click
on the Acceptable Use link on the right side of the page.


        Randy Marchany
        VA Tech

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.

Current thread:

computer use policy John Isenhour (May 15)
- <Possible follow-ups>
- Re: computer use policy Gary Flynn (May 15)
- Re: computer use policy Ken Shaurette (May 16)
- Re: computer use policy Randy Marchany (May 16)
- Re: computer use policy Bruhn, Mark S. (May 16)