Re: User's not following the rules

["Basgen, Brian" <bbasgen () PIMA EDU>]

 Good point to address Bill. One of the more subtle areas is how to
handle things such as a person who shares passwords, for example. For
us, we divide incidents into a few general categories, including
"misuse" and "abuse". The former describes violations of IT policy, in
which case we talk to the person first (rogue access point, etc) -
because in most cases misuse stems from a business need not being
addressed. The latter category, abuse, we shunt off through normal code
of conduct (thus going to deans or HR).

 

 In other words, it is a reasonable expectation that HR will properly
handle porn. At the same time, it doesn't serve the interests of the
institution or the employees involved to ask HR to discipline a
department that isn't securing medical records. For us, "misuse"
occupies the majority of our work, which means we are working with
employees to provide them the awareness/process/tools they need. 

 

~~~~~~~~~~~~~~~~~~

Brian Basgen

Information Security

Pima Community College

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bill Lantry
Sent: Thursday, September 18, 2008 7:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User's not following the rules

 

James,

 

Like most places, these things fall into the relevant administrative
area (Student life, Provost, Hr, etc.) here. But we wrote an
intermediate step into the process. The "offender" is required to meet
with the Director of Academic Technology and the Information Security
Officer (here, that's the same person). Almost all problems get solved
that way, if they don't, then they get kicked in to relevant judicial
areas, accompanied by a written report from the Director. This saves a
tremendous amount of time, and ensures that we have fewer arbitrary
rulings (which was the original reason we started doing this).

 

Thanks,

 

Bill

 

 

On Thu, Sep 18, 2008 at 10:28 AM, James Farr '05' <jfarr () utica edu>
wrote:

Thank you everyone,
This has been very helpful.  HR is currently involved in the process,
but we are still having a problem getting users to grasp the severity of
some of these issues.  It looks like we are going to stay with the group
and keep out of the disciplinary process.

 

I am still curious about testing.  At some point during this school year
I will be developing a test that I can give to participants in training
classes, or a pretest so they can test out of the class.  Initially
these tests will be anonymous. Since compliance is our goal we are
considering keeping the results of a test to help show people both read
and understood the policies and procedures.  We can force people to read
and sign a document stating they read the document, but that does not
show their actual level of understanding.

 

We want to be fair to the users.  Let's face it, I might fail the test
on organic Chemistry the first time.  That subject is not part of my
every day lingo.  If they do not pass the test they are not going to be
"in trouble" but the results would help identify people who might
require a different approach at learning this information.  In the end
we hope this will lead to more educated users and a less vulnerable
environment.

 

 

Thank you for your time

James Farr

Utica College

Information Security Officer

315-223-2386

Jfarr () utica edu

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mehmedovic, Jenny
Sent: Thursday, September 18, 2008 9:47 AM


To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User's not following the rules

 

We use the following general language or something like it in most of
our information technology-related policies, so that misbehavior or
violation of policies can be assessed on a case-by-case basis.  Our
Information Security policy gets a bit more in-depth & detailed.  See
https://documents.ku.edu/policies/Information_Services/Information_Techn
ology/Security_Policy/Security_Policy.htm. 

 

Feel free to browse our other IT policies at
http://www.policy.ku.edu/category.shtml?8.

 

Whatever approach you decide to take, make sure you involve your Human
Resource & General Counsel offices.  We feel strongly here that any
disciplinary action taken should occur within the department & under
advisement of HR & Counsel (i.e., IT is not the one meting out the
disciplinary measure...) 

 

_______________________________

Use of University electronic information resources contrary to this
policy, University or Regents' policies, or applicable federal, state or
local law is prohibited and may subject the user to disciplinary action
including, but not limited to, suspension of the user's access to the
electronic information resources. Users also should be aware of other
possible consequences under University or Regents' policies and federal,
state, or local laws, particularly those related to computer crime and
copyright violation. 

______________________

Faculty, staff and student employees who violate this university policy
may be subject to disciplinary action for misconduct and/or performance
based on the administrative process appropriate to their employment. 

 

Students who violate this university policy may be subject to
proceedings for non-academic misconduct based on their student status. 

 

Faculty, staff, student employees and students may also be subject to
the discontinuance of specified information technology services based on
the policy violation.

___________________________________________

Employment actions should be handled by the appropriate department with
the advice and guidance of Human Resources/Equal Opportunity and the
Office of the General Counsel.  Student disciplinary actions should be
handled by the appropriate department in collaboration with Student
Success.

___________________________________________

Jenny Mehmedovic 
Assistant to the Provost 
University of Kansas 
(785) 864-4904 
jmehmedo () ku edu 

 

 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sachnoff, Neil
Sent: Thursday, September 18, 2008 5:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User's not following the rules

Last time we tried to push this concept the institution was unwilling to
place in policy what the penalties would be. We have many unions on
campus.

 

/Neil  

Neil S. Sachnoff, Executive Director, Information Technology
Middlesex County College 
2600 Woodbridge Avenue, JLC Rm. 209 
Edison, NJ 08818-3050 

 PThink before you print

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Farr '05'
Sent: Wednesday, September 17, 2008 3:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] User's not following the rules

 

We are currently evaluating what to do when a user does not follow the
Information Security Policies adopted by the institution.


Currently our policies are handled on a case by case basis.  There are
no set forth policies that clearly state if you provide your password to
another user x,y,z, will happen.

 

Does anyone have a guideline they can share on what happens when a user
does not follow the established rules.

Do you test users on their understanding of the security policies?

If so are penalties more sever if the user demonstrated knowledge in the
area?

Do sanction change based on the number of times they do not follow the
policy?

 

Thank you for your time

James Farr

Utica College

Information Security Officer