Re:

[Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>]

Very interesting discussion.  Are you attempting to create a policy in
response to a specific event that occurred that was not expressly
forbidden in the current acceptable use policy?  Are you attempting to
address a particular risk by creating such a policy?

It seems to me that such an action would be forbidden by any ethics
policy currently in place.  If you falsify your identity when speaking
with an university official, you are purposely committing fraud, at
the very least.  Regardless of communication medium, this is
inappropriate behavior.

You may also need to look at controls currently in place.  Rather than
just create another policy that could be overlooked, what technology
are you going to put in place in support of your policy? (i.e Digital
Signatures for email)

I can't wait to hear more about your thought/decision process
regarding this issue.

Sincerely,

Sarah E Stevens

> We're looking at the possibility of providing in a policy that it
would be
> an acceptable use violation to misrepresent who one is when
communicating
> with a university official; particularly as it applies to employees.
>
> This is to get at the situation where someone uses an alias to
communicate
> on a work related matter to someone else.
>
> I'm wondering if any of you have such a restriction in place, or
could point
> me to a policy with such a restriction. Any advice or suggestions
would be
> helpful.
>
> Best regards,
>
> Theresa Semmens, CISA
> IT Security Officer
> North Dakota State University
> IACC 210C
> Ph: 701-231-5870
> E-mail: theresa.semmens () ndsu edu
>
> "If you believe you cannot do something, it makes you incapable of
doing it.
> But when you believe you can, you acquire the ability to do it, even
if you
> did not have the ability in the beginning."       Mahatma Gandhi

--