Re:

[Allan Williams <allan.williams () ANU EDU AU>]

G'day,
	I've learnt that you can't use the "M" word with some academics - no  
matter how just your cause they will pull out some extreme example.   
In some sense you are playing the same game by stating that this  
technology is needed to protect the data from disastrous consequences.

A few  of suggestions
1) Acknowledge that policy is attempting to mitigate the risk and  
state that you would be happy to consider alternative solutions if  
they can be shown to be effective - probably worth listing out the  
type of risks your trying to prevent and invite them in for a one on  
one to discuss.

2) Go over his head - depends where they sit in the food chain

3) Don't make it an IT policy - push it out to your research office/  
grants/ ethics body and make it a condition of researching in this  
area or have it tied to funding this type or research.

4) Ignore it, it's been approved and you can't please all the of the  
people all of the time. Hopefully you managed to get an audit clause  
in and in 6 months time he could come in for a "random" audit :)

Regards,
        Allan


On 18/12/2007, at 4:15 AM, Mclaughlin, Kevin (mclaugkl) wrote:

> Hi All:
>
>
>
> I am having a bit of a tussle with a faculty member who is on one  
> of the committees that already approved UC having a Full Disk  
> Encryption Policy.  I won’t overload you with the verbose emails  
> that have gone back and forth but it seems that his concern is  
> summed up in that he doesn’t want a policy for this as that makes  
> it mandatory and he is making some grandiose blanket statements  
> about the impact to faculty if we have a Full Disk Encryption  
> policy in place. (see below)   The policy basically says:  all PCs  
> that store restricted data (FERPA, HIPAA, GLB, PCI) will be  
> encrypted with PGP’s full disk encryption software at no cost to  
> the individual or department. This software will be supported, as  
> needed, by Central IT.
>
>
>
>
>
> Hi Kevin
>
> Encouraging FDE (full disk encryption) is fine.  Mandating it — is  
> not.
>
> Regarding your comment that “My profession is all about Risk mgt  
> and mitigation”.
> That is the trouble with the policy.  Faculty teach, do research,  
> etc. The policy needs to strike a balance. In years past, we had  
> similar discussions about libraries.  To protect the books,  
> libraries should simply close their doors. A balance needs to found.
>
> The goal of the policy should be to assist professors to follow the  
> law while they do their job.
>
>
>
>
>
>
> Here’s my question:  I have talked about how transparent the tool  
> is, my team and I have used it for about 6 months now;  I have  
> talked about how as an adjunct I found it easy to use, and I have  
> talked about how this IS a tool that allows faculty to do their job  
> and to safeguard information at the same time.   I have also  
> offered to let him try the tool and he has not taken me up on  
> that.  The net result I have had is nill.
>
>
>
> Have any of you had success with a technique to overcome this type  
> of obstacle?   I have no doubt that the policy will be approved and  
> moved forward but I would also like to get this very vocal faculty  
> member’s support if possible.
>
>
>
> Thanks,
>
>
>
> -Kevin
>
>
>
>
>
>
>
> Kevin L. McLaughlin
>
> CISM, CISSP, PMP, ITIL Master Certified
>
> Director, Information Security
>
> University of Cincinnati
>
> 513-556-9177 (w)
>
> 513-703-3211 (m)
>
> 513-558-ISEC (department)
>
>
>
>
>
>  <image003.png>
>
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail message and its content is  
> confidential, intended solely for the addressee, and may be legally  
> privileged. Access to this message and its content by any  
> individual or entity other than those identified in this message is  
> unauthorized. If you are not the intended recipient, any  
> disclosure, copying or distribution of this e-mail may be unlawful.  
> Any action taken or omitted due to the content of this message is  
> prohibited and may be unlawful.
>
>
>
>
>
> <image003.png>

==================================
Allan Williams
Head Systems & Desktop Services
Division of Information
R.G. Menzies Building
Building 2
The Australian National University
Canberra ACT 0200

T: +61 2 6125 8404
M: 0400 480 144
www.anu.edu.au

CRICOS Provider #00120C
==================================