Re: Advice on Network Security Policies[Message Scanned]

[Jimmy Fikes <fikesj () WBU EDU>]

After reading Nancy Flynn's book, E-mail Rules, A Guide to Managing
Policies, Security, and Legal Issues (AMACON, 2003), we implemented an
e-mail retention policy.  We were also motivated by an unfortunate
allegation against a person that potentially threatened to harm both the
individual and the university. Flynn makes a persuasive argument for message
archiving. It is not inordinately expensive or difficult and may someday
prove to be less expensive than a lawyer.

Jimmy Fikes
Director of Information Technology Services
Wayland Baptist University



-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theresa M Rowe
Sent: Thursday, January 13, 2005 11:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Advice on Network Security Policies[Message Scanned]

I encourage you to review your questions with your legal
staff and your police department.

After much review here, the decision was that personally
identifiable log info is kept for 48 hours.  No email is
kept; we do not even backup our email system for emergency
purposes.  We specify our practice in our system
administrator policy
http://www2.oakland.edu/audit/POLCY880.HTM
The feeling was if we don't have it, we cannot turn it over.

And yes, the FBI and "other sorts" have been here, expressed
surprise, but no other issues have come up.

Theresa Rowe



---- Original message ----
> Date: Thu, 13 Jan 2005 11:40:14 -0500
> From: "Parker, Ben C" <parkerbc () MUC EDU>
> Subject: [SECURITY] Advice on Network Security Policies
[Message Scanned]
> To: SECURITY () LISTSERV EDUCAUSE EDU
>
>   Question in which I am hoping for some advice from
>   those with expertise? Where is a good place to find
>   out what we as a small private liberal arts college
>   are required to keep/have as far as legal issues are
>   concerned with some of the following things?
>
>   1.       How detailed and how long do we need to
>   keep firewall logs? Currently we are logging denies
>   and NAT timeouts.  What are we required to keep, and
>   what would be good to have in case we get file
>   sharing notice( Since in the year and a half I have
>   been here we have kept things locked down tight
>   enough that  students haven't been able to file
>   share, but there is strong pressure to open things
>   up more.)
>
>   2.       What other things should we be auditing and
>   how extensively?
>
>   3.       What are the other questions I should be
>   asking be don't even know what to ask about?
>
>
>
>   ********** Participation and subscription
>   information for this EDUCAUSE Discussion Group
>   discussion list can be found at
>   http://www.educause.edu/groups/.
Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.