Re:

[Chad McDonald <chad.mcdonald () GCSU EDU>]

Someone in this thread mentioned that you can't please everyone, which
is certainly true.  If you have an otherwise good relationship with this
person, perhaps you could attempt to persuade him to tell you why this
won't work and how exactly it adversely impacts research and teaching.
Whole disk encryption is in my opinion transparent and I doubt that this
person will be able to build a good case for why it won't work.  If the
policy has already been approved, then this is really a case of building
trust between your office and the faculty.  It doesn't seem that this
person is able to see past the technology to the bigger picture of
risk.  I would consider a one on one discussion to bring this person up
to speed on what it is you really do and the reason that you do it.

In the past I have asked my vocal adversaries to become "faculty
liaisons".  They act as a sounding board for new ideas, they help write/
recommend policy, and they test new procedures.  I think that bringing
them into your world in this way makes them feel empowered and
involved.  You won't always see eye to eye, but more often than not they
will turn out to be supporters after they see what it is you are really
trying to do (manage risk).

My 2 cents...

Chad McDonald, CISSP, CISA
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell    478.454.8250
Fax     478.445.1202
Email   chad.mcdonald () gcsu edu

> Hi All:
>  
> I am having a bit of a tussle with a faculty member who is on one of the
> committees that already approved UC having a Full Disk Encryption
> Policy.  I won't overload you with the verbose emails that have gone
> back and forth but it seems that his concern is summed up in that he
> doesn't want a policy for this as that makes it mandatory and he is
> making some grandiose blanket statements about the impact to faculty if
> we have a Full Disk Encryption policy in place. (see below)   The policy
> basically says:  all PCs that store restricted data (FERPA, HIPAA, GLB,
> PCI) will be encrypted with PGP's full disk encryption software at no
> cost to the individual or department. This software will be supported,
> as needed, by Central IT.  
>  
>  
> Hi Kevin
>
> Encouraging FDE (full disk encryption) is fine.  Mandating it -- is not.   
>
> Regarding your comment that "My profession is all about Risk mgt and
> mitigation".
> That is the trouble with the policy.  Faculty teach, do research, etc.
> The policy needs to strike a balance. In years past, we had similar
> discussions about libraries.  To protect the books, libraries should
> simply close their doors. A balance needs to found.
>
> The goal of the policy should be to assist professors to follow the law
> while they do their job.
>
>  
>  
> Here's my question:  I have talked about how transparent the tool is, my
> team and I have used it for about 6 months now;  I have talked about how
> as an adjunct I found it easy to use, and I have talked about how this
> IS a tool that allows faculty to do their job and to safeguard
> information at the same time.   I have also offered to let him try the
> tool and he has not taken me up on that.  The net result I have had is nill. 
>  
> Have any of you had success with a technique to overcome this type of
> obstacle?   I have no doubt that the policy will be approved and moved
> forward but I would also like to get this very vocal faculty member's
> support if possible.
>  
> Thanks,
>  
> -Kevin
>  
>  
>  
> Kevin L. McLaughlin
> CISM, CISSP, PMP, ITIL Master Certified
> Director, Information Security
> University of Cincinnati
> 513-556-9177 (w)
> 513-703-3211 (m)
> 513-558-ISEC (department)
>  
>  
>  
>  
>
> CONFIDENTIALITY NOTICE: This e-mail message and its content is
> confidential, intended solely for the addressee, and may be legally
> privileged. Access to this message and its content by any individual or
> entity other than those identified in this message is unauthorized. If
> you are not the intended recipient, any disclosure, copying or
> distribution of this e-mail may be unlawful. Any action taken or omitted
> due to the content of this message is prohibited and may be unlawful.
>  
>