Re: Logon Message

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

Well, setting any legal argument, absurd or not, aside should be done
after soliciting input from experienced colleagues and good sources,
which is what Steve is doing, and then only in consultation with
Counsel.  (A partnership and continuing dialogue with Counsel is
critical.  As are similar relationships with audit, police, deans of
students, HR, etc.  Many of us are still fighting the perception of the
security officer as the bad cop.)

By the way, I have seen banners that include a statement that indicates
that the absence of the same banner on other systems does not imply that
those systems have different usage and access restrictions.

And, some campuses may in fact have a real need to put their banners in
multiple languages...

-- 
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Jim Moore [mailto:jhmfa () RIT EDU] 
Sent: Thursday, August 07, 2003 10:12 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Logon Message


There are times that the legal arguments have to be set aside.  The
argument stated is as absurd as sawing that if you don't have it in
Chinese, then you can't blame Chinese hackers for breaking in.  If you
attempt to clearly distinguish between public and non-public resources,
and communicate it on every available venue, then relax.

Some groups may choose not to manage their risk by not putting up that
sort of a warning.  In that case, just let them know clearly, and in
writing, that they are assuming the risk of being considered a public
resource by not adopting the warning banner.

Lastly, don't be afraid to go to court.  If you have warning banners on
60% of authentications, and 30% of the remaining do not have a warning
banner due to technical reasons (like drive mapping).  Then you are
covering 86% of the available authentication space.  If your legal
counsel can't work with that in court ...

The wording (paraphrase) sounds good.  I would add something that says
"authorized users" are expected to comply with all university policies
governing information handling, and comupter and network use.  We use
"authorized user" as a key phrase in our policy, so baseline is
consistent for alimni, retirees, outsourced vendors etc.

Jim

Jim

Steven R. Smith wrote:
> That's exactly my concern.  We also have a diverse system environment
here, and because of the different communities we serve, there is much
debate as to how to present the message depending on the user's
relationship with the University.  Our position (and is supported by
Counsel) is that if we post the message at the perimeter points of login
we are protecting all systems accessed after that point.  Our Login
message also states this.  My feeling is that at least we're doing
something, and not saying "welcome".
> Does this makes sense?  I'd love to hear other points of view, and any
real life experiences would help.
> I'll also relay your comment to our Counsel for consideration.
>
> Thanks,
>
> Steve.
>
> Steven R. Smith
> IS Security Specialist
> Hofstra University
> 516.463.3944
>
>
> > > > mbruhn () INDIANA EDU 08/06/03 06:44PM >>>
> Clearly, I'm a little behind (no jokes, please :)
>
> Many believe that if this can't be done consistently -- that is, such
> that anyone and everyone who connects to any service on your network
can
> see this same  warning -- you shouldn't do it at all.  The legal
theory
> is that if it isn't displayed consistently, a case could be made (in
> court, by an alleged intruder's lawyer, for example) that a system
> without it doesn't have the same level of privacy as those that do.
>
> If you can't do it this way -- we can't in our environment, because of
> the diversity of systems and applications -- you should ask your
Counsel
> to think about it from this angle as well, if they haven't already
done.
> M.
>
> --
> Mark S. Bruhn, CISSP, CISM
>
> Chief IT Security and Policy Officer
> Interim Director, Research and Educational Networking Information
> Sharing and Analysis Center (ren-isac () iu edu)
>
> Office of the Vice President for Information Technology and CIO
> Indiana University
> 812-855-0326
>
> Incidents involving IU IT resources: it-incident () iu edu
> Complaints/kudos about OVPIT/UITS services: itombuds () iu edu
>
>
>
>
> -----Original Message-----
> From: Steven R. Smith [mailto:Steven.R.Smith () HOFSTRA EDU]
> Sent: Friday, August 01, 2003 1:52 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Logon Message
>
>
> Greetings all!
>
> We are in the process of implementing a logon message that will appear
> each time a user logs on to our network.  The message consists of two
> parts: Security, which essentially says these resources are for
> authorized users, all activity may be monitored, and if you are not
> authorized, please leave;  Privacy, which essentially says the systems
> you are accessing may contain information that is protected by Federal
> and State law, so you must take all precautions to protect it.
>
> Clearly that's paraphrased, and obviously this is not a new idea.  The
> complete message has been approved by our Chief Counsel.
>
> I would like this message to be consistent through out the community
> (admin, faculty, and students) and to be presented in a consistent
> format.  We were leaning toward a pop-up which appears after
> authentication, and requires the user to click ok to continue to
login.
> However, there is some discussion that it should presented to students
> through a different venue that will not be a pop-up.
>
> What have other institutions done regarding this matter?
>
> Any thoughts would be much appreciated.
>
> Steve.
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion
> Group discussion list can be found at
> http://www.educause.edu/memdir/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.
> **********
> Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.


--
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C
D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.