Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Guideline for Restricting Software

From: "Edwards, Francis" <FEdwards () MC CC MD US>
Date: Fri, 16 May 2003 14:20:16 -0400
Let me clarify my query.  Like many other institutions, we have an
Acceptable Use Policy already in place that handles the high-level
requirements / restrictions, and quite intentionally in generic,
non-specific terms.  For example, users will 
- "neither endanger the security of any College computer or network
facility nor willfully interfere with others' authorized computer use."
- "connect to College networks only with equipment/computers meeting
College technical and security standards."
 
What we're working on now is a lower-level guideline / standard or
whatever you care to call such a document.  Its purpose is to identify
specific categories (and occasionally specific products) that are
restricted, possibly prohibited, and would require authorization to
install / use.   For example, products used in teaching information
security courses are a deadly if not properly contained.  In the
academic environment, we can not say decree that people can use only
what IT provides them.  
 
Francis 


        -----Original Message-----
        From: Edwards, Francis 
        Sent: Wednesday, May 14, 2003 12:47 PM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] Guideline for Restricting Software
        
        

        Does anyone have a guideline or other document restricting the
installation or use of specific software on institutional computers?
I'm talking about the nasty stuff like KaZaA, vulnerability scanners,
password crackers, etc. that have limited justification on a faculty or
staff workstation. 

        We're crafting something to document our need to restrict such
products, permit use when justified / authorized, and our authority to
have them removed.  

        It always helps seeing what others have done when crafting the
language.  And it sure helps in making the case if others already have
something similar in place.

        Thanks, 
        Francis L. Edwards, II  CISSP CCP 
        Manager, IT Security 
        Montgomery College 
        Rockville, MD 20855-2759 


        ********** Participation and subscription information for this
EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/memdir/cg/. 


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: