Educause Security Discussion mailing list archives
Re: User's not following the rules
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Thu, 18 Sep 2008 08:49:16 -0700
Good point to address Bill. One of the more subtle areas is how to handle things such as a person who shares passwords, for example. For us, we divide incidents into a few general categories, including "misuse" and "abuse". The former describes violations of IT policy, in which case we talk to the person first (rogue access point, etc) - because in most cases misuse stems from a business need not being addressed. The latter category, abuse, we shunt off through normal code of conduct (thus going to deans or HR). In other words, it is a reasonable expectation that HR will properly handle porn. At the same time, it doesn't serve the interests of the institution or the employees involved to ask HR to discipline a department that isn't securing medical records. For us, "misuse" occupies the majority of our work, which means we are working with employees to provide them the awareness/process/tools they need. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bill Lantry Sent: Thursday, September 18, 2008 7:58 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] User's not following the rules James, Like most places, these things fall into the relevant administrative area (Student life, Provost, Hr, etc.) here. But we wrote an intermediate step into the process. The "offender" is required to meet with the Director of Academic Technology and the Information Security Officer (here, that's the same person). Almost all problems get solved that way, if they don't, then they get kicked in to relevant judicial areas, accompanied by a written report from the Director. This saves a tremendous amount of time, and ensures that we have fewer arbitrary rulings (which was the original reason we started doing this). Thanks, Bill On Thu, Sep 18, 2008 at 10:28 AM, James Farr '05' <jfarr () utica edu> wrote: Thank you everyone, This has been very helpful. HR is currently involved in the process, but we are still having a problem getting users to grasp the severity of some of these issues. It looks like we are going to stay with the group and keep out of the disciplinary process. I am still curious about testing. At some point during this school year I will be developing a test that I can give to participants in training classes, or a pretest so they can test out of the class. Initially these tests will be anonymous. Since compliance is our goal we are considering keeping the results of a test to help show people both read and understood the policies and procedures. We can force people to read and sign a document stating they read the document, but that does not show their actual level of understanding. We want to be fair to the users. Let's face it, I might fail the test on organic Chemistry the first time. That subject is not part of my every day lingo. If they do not pass the test they are not going to be "in trouble" but the results would help identify people who might require a different approach at learning this information. In the end we hope this will lead to more educated users and a less vulnerable environment. Thank you for your time James Farr Utica College Information Security Officer 315-223-2386 Jfarr () utica edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mehmedovic, Jenny Sent: Thursday, September 18, 2008 9:47 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] User's not following the rules We use the following general language or something like it in most of our information technology-related policies, so that misbehavior or violation of policies can be assessed on a case-by-case basis. Our Information Security policy gets a bit more in-depth & detailed. See https://documents.ku.edu/policies/Information_Services/Information_Techn ology/Security_Policy/Security_Policy.htm. Feel free to browse our other IT policies at http://www.policy.ku.edu/category.shtml?8. Whatever approach you decide to take, make sure you involve your Human Resource & General Counsel offices. We feel strongly here that any disciplinary action taken should occur within the department & under advisement of HR & Counsel (i.e., IT is not the one meting out the disciplinary measure...) _______________________________ Use of University electronic information resources contrary to this policy, University or Regents' policies, or applicable federal, state or local law is prohibited and may subject the user to disciplinary action including, but not limited to, suspension of the user's access to the electronic information resources. Users also should be aware of other possible consequences under University or Regents' policies and federal, state, or local laws, particularly those related to computer crime and copyright violation. ______________________ Faculty, staff and student employees who violate this university policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment. Students who violate this university policy may be subject to proceedings for non-academic misconduct based on their student status. Faculty, staff, student employees and students may also be subject to the discontinuance of specified information technology services based on the policy violation. ___________________________________________ Employment actions should be handled by the appropriate department with the advice and guidance of Human Resources/Equal Opportunity and the Office of the General Counsel. Student disciplinary actions should be handled by the appropriate department in collaboration with Student Success. ___________________________________________ Jenny Mehmedovic Assistant to the Provost University of Kansas (785) 864-4904 jmehmedo () ku edu ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sachnoff, Neil Sent: Thursday, September 18, 2008 5:52 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] User's not following the rules Last time we tried to push this concept the institution was unwilling to place in policy what the penalties would be. We have many unions on campus. /Neil Neil S. Sachnoff, Executive Director, Information Technology Middlesex County College 2600 Woodbridge Avenue, JLC Rm. 209 Edison, NJ 08818-3050 PThink before you print From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Farr '05' Sent: Wednesday, September 17, 2008 3:40 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] User's not following the rules We are currently evaluating what to do when a user does not follow the Information Security Policies adopted by the institution. Currently our policies are handled on a case by case basis. There are no set forth policies that clearly state if you provide your password to another user x,y,z, will happen. Does anyone have a guideline they can share on what happens when a user does not follow the established rules. Do you test users on their understanding of the security policies? If so are penalties more sever if the user demonstrated knowledge in the area? Do sanction change based on the number of times they do not follow the policy? Thank you for your time James Farr Utica College Information Security Officer
Current thread:
- Re: User's not following the rules, (continued)
- Re: User's not following the rules Gary Dobbins (Sep 17)
- Re: User's not following the rules Theresa Semmens (Sep 17)
- Re: User's not following the rules James Farr '05' (Sep 17)
- Re: User's not following the rules Bob Kalal (Sep 17)
- Re: User's not following the rules Sachnoff, Neil (Sep 18)
- Re: User's not following the rules Mehmedovic, Jenny (Sep 18)
- Re: User's not following the rules Theresa Semmens (Sep 18)
- Re: User's not following the rules James Farr '05' (Sep 18)
- Re: User's not following the rules Paul Kendall (Sep 18)
- Re: User's not following the rules Bill Lantry (Sep 18)
- Re: User's not following the rules Basgen, Brian (Sep 18)