Re: User's not following the rules

[Bob Kalal <kalal.1 () OSU EDU>]

Likewise echo...our policy says that violations will be handled  
through university disciplinary processes appropriate to the  
violator's status - student, faculty, staff, and visitor would all  
follow different routes - student judicial or academic misconduct,  
human resources progressive discipline, faculty rules, or the cops.

Bob Kalal

On Sep 17, 2008, at 4:14 PM, Theresa Semmens wrote:

> I echo Gary’s comments.  Our acceptable use procedure can be found  
> here http://its.ndsu.edu/security/au/
>
> Theresa Semmens, CISA
> NDSU IT Security Officer
> PO Box 6050
> North Dakota State University
> Fargo, ND 58108
> Phone: 701-231-5870
> FAX: 701-231-8541
> Theresa.Semmens () ndsu edu
>
> "Opportunity is missed by most people because it is dressed in  
> overalls and looks like work."  Thomas Edison
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU 
> ] On Behalf Of Gary Dobbins
> Sent: Wednesday, September 17, 2008 3:01 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] User's not following the rules
>
> FWIW, judgments in cases like the one you describe are handled  
> (here) by the relevant University office (e.g. Student Affairs, HR,  
> Provost) because they have ceased to be "information security" in  
> nature, and instead are an employee performance issue or a code-of- 
> conduct question.
> Ihe IT folks become suppliers to those offices of background data on  
> the case.  We are not expected to judge nor impose sanctions of our  
> own choosing.  I have found this to be a very proper arrangement.
>
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU 
> ] On Behalf Of James Farr '05'
> Sent: Wednesday, September 17, 2008 3:40 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] User's not following the rules
>
> We are currently evaluating what to do when a user does not follow  
> the Information Security Policies adopted by the institution.
>
> Currently our policies are handled on a case by case basis.  There  
> are no set forth policies that clearly state if you provide your  
> password to another user x,y,z, will happen.
>
> Does anyone have a guideline they can share on what happens when a  
> user does not follow the established rules.
> Do you test users on their understanding of the security policies?
> If so are penalties more sever if the user demonstrated knowledge in  
> the area?
> Do sanction change based on the number of times they do not follow  
> the policy?
>
> Thank you for your time
> James Farr
> Utica College
> Information Security Officer