Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 19 Mar 2010 12:28:17 +1300
On 18/03/2010, at 6:45 AM, Basgen, Brian wrote:
I agree, policies are one way the institution makes a definitive statement on acceptable levels level of risk. The ideal situation is where the choice an employee makes vis-à-vis security compliance is whether or not to comply with college policy. Failure to comply may mean an ineffective policy, or may lead to opportunities for correction. Thus, while employees need to be a part of the policy development process, once the institution has collectively made a risk avoidance decision, it then becomes a compliance issue.
I have always viewed policy as a check point. You need to achieve some goal, you come up with a plan. At this point you should check the policy. Compliant -- great off we go... Not compliant, time to stop and think: * Are there alternate ways of doing this that don't breach the letter *or* the spirit of the policy. * If the alternatives are more expensive is the cost in proportion to the reduction in risk? * lots of other considerateions... Once one has thought about it then if you have a means of doing what you need that fits with policy at a reasonable cost then great, go for it. If not then talk to those responsible for the policy. All policies should have mechanism for handling exceptions. I believe that the purpose of having policies is to cut the cost of decision making so that most decisions can be made by the people on the ground. The fact that some activity does not comply with policy does not necessarily mean that it should not happen, just that it should not happen without scrutiny and without someone with authority explicitly taking responsibility for it. Having good a good policy framework should mean that the vast majority of what needs to happen takes place in a know space with a list of known and approved exceptions. This allows effort to be focused on the difficult or exceptional problems rather than being dissipated over all sorts of day to day stuff. Russell
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Dennis Meharchand (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Katie Weaver (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 18)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 18)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 18)
- FW: Are users right in rejecting security advice? Lazarus, Carolann (Mar 19)
- Re: Are users right in rejecting security advice? Eric Jernigan (Mar 22)
- Re: Are users right in rejecting security advice? Leon DuPree (Mar 23)
- Re: Are users right in rejecting security advice? SCHALIP, MICHAEL (Mar 23)