Re:

["Custer, William L. Mr." <custerwl () MUOHIO EDU>]

Demo it to his dean or even the provost or president, get them to sign on based on cost savings from just one HB 104 
exposure.

From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
Sent: Monday, December 17, 2007 12:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY]

Hi All:

I am having a bit of a tussle with a faculty member who is on one of the committees that already approved UC having a 
Full Disk Encryption Policy.  I won't overload you with the verbose emails that have gone back and forth but it seems 
that his concern is summed up in that he doesn't want a policy for this as that makes it mandatory and he is making 
some grandiose blanket statements about the impact to faculty if we have a Full Disk Encryption policy in place. (see 
below)   The policy basically says:  all PCs that store restricted data (FERPA, HIPAA, GLB, PCI) will be encrypted with 
PGP's full disk encryption software at no cost to the individual or department. This software will be supported, as 
needed, by Central IT.


Hi Kevin

Encouraging FDE (full disk encryption) is fine.  Mandating it - is not.

Regarding your comment that "My profession is all about Risk mgt and mitigation".
That is the trouble with the policy.  Faculty teach, do research, etc. The policy needs to strike a balance. In years 
past, we had similar discussions about libraries.  To protect the books, libraries should simply close their doors. A 
balance needs to found.

The goal of the policy should be to assist professors to follow the law while they do their job.


Here's my question:  I have talked about how transparent the tool is, my team and I have used it for about 6 months 
now;  I have talked about how as an adjunct I found it easy to use, and I have talked about how this IS a tool that 
allows faculty to do their job and to safeguard information at the same time.   I have also offered to let him try the 
tool and he has not taken me up on that.  The net result I have had is nill.

Have any of you had success with a technique to overcome this type of obstacle?   I have no doubt that the policy will 
be approved and moved forward but I would also like to get this very vocal faculty member's support if possible.

Thanks,

-Kevin



Kevin L. McLaughlin
CISM, CISSP, PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
513-558-ISEC (department)


 [cid:image001.png@01C840AD.48646CC0]


CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may 
be legally privileged. Access to this message and its content by any individual or entity other than those identified 
in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this 
e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be 
unlawful.