List Participation Guidelines and Responsible Vendor Behavior

[Rodney Petersen <rpetersen () EDUCAUSE EDU>]

I apologize for the delay in weighing in on the list controversies of
last week.  As many of you know, many of us were engaged in a very
successful security conference last week in Denver, Colorado (Security
2007 - http://www.educause.edu/sec07).  As usual, cooler heads have
prevailed and the wisdom of the various contributors probably exceeds
the insights that I am about to offer.

First, some background about the list.  The Security Task Force created
this discussion list six years ago as a means to facilitate information
sharing for the improvement of computer and network security at colleges
and universities.  We elected to leverage the EDUCAUSE Discussion List
option because it allows the "open exchange" of information across a
range of colleges and universities.  The availability of public archives
also makes it possible for new security professionals to search previous
discussions for resources on questions they might want to pose to the
community.  Although the primary audience is college and university
security professionals, we have also recognized the value of government
and industry participation, including as a mechanism to raise their
awareness about the needs, concerns, and accomplishments of the higher
education community.  

Second, as the higher education security community has grown and
evolved, it became evident that the sharing of sensitive or
incident-related information should be limited to a vetted community of
college and university security professionals (not accessible to "bad
guys", "news media", or organizations that may use it for "personal
gain".)  Consequently, the Research and Education Networking Information
Sharing and Analysis Center (REN-ISAC) has established a closed mailing
list for REN-ISAC members.  We would encourage individuals responsible
for incident handling in a college and university community to join the
REN-ISAC for restricted information sharing forum:
http://www.ren-isac.net/membership.html

Third, there are "Participation Guidelines" for this list that you can
review at
http://www.educause.edu/ConstituentGroupParticipationGuidlines/892  The
relevant portions regarding "Promotional Messages and Advertising"
follows:  "Discussion groups are educational in nature and not intended
for promotional announcements, advertising, product-related press
releases, or other commercial use. Past reactions by subscribers
indicate that such postings are usually self-defeating."

Finally, since the "Participation Guidelines" and EDUCAUSE Policy are
silent regarding appropriate vendor behavior in response to listserv
questions or discussions, we must rely on corporate participants to
behave responsibly and ethically.  We are prepared to take corrective
action where necessary to address community concerns.  Several corporate
members of the list have recently posted some excellent advice and
observations in this regard (see April 16th post from Dennis Meharchand,
April 11th posts from Jim St. Clair and Kevin Moulton, and others.)  In
short, the Security Task Force believes that vendors are part of the
solution to improving computer and network security in higher education.
Therefore, we are relunctant to ban them from learning from these
discussions as some have suggested.  In some cases, the higher education
community can benefit from their insights as well.  In other cases,
their products and services will be improved based upon the needs and
concerns expressed by the community.  However, the continued
participation of vendors depends upon them acting responsibly upon the
information available to them and refraining from using the open
discussion forum that we provide for personal gain.

Thank you to everyone for your patience and perseverence as we strive to
create a communication mechanism that helps us improve the state of
cybersecurity in higher education.  Please let me know if you have any
further questions.

Best Regards,

-Rodney
--------------------------------------------------
Rodney J. Petersen, J.D.
Government Relations Officer & Security Task Force Coordinator

EDUCAUSE
1150 18th Street, N.W., Suite 1010
Washington, D.C. 20036
(202) 331-5368 / (202) 872-4200
(202) 872-4318 (FAX) 
EDUCAUSE/Internet2 Security Task Force
www.educause.edu/security
--------------------------------------------------