Educause Security Discussion mailing list archives
Policy Enforcement
From: Scott Sweren <ssweren () UDEL EDU>
Date: Fri, 26 Mar 2010 13:34:17 -0400
I am interested to know what others do to enforce information security policies in a highly distributed environment where the security office may not have direct authority in the practical sense to impose sanctions. For violations that are particularly egregious and/or violate criminal law the response is fairly simple in that the HR process for termination can be invoked. I am more interested in lesser offenses that do not warrant considering termination. We are examining our response procedures to policy violations and want to strike a balance for imposing a real deterrent to violating policy while maintaining the autonomy (or at least perceived autonomy) of the the distributed groups so the security office does not look like "Big Brother". I am not looking for the process followed with students but that used with faculty and staff. I know faculty bargaining agreements and other labor agreements can factor into what can be done. Some questions I am interested in knowing your responses to are: - How did you get the authority to impose the sanctions? - How is your process perceived? - Do you always hold a person responsible or are there scenarios where a department or group can be held accountable instead or in addition to a person? - With a group accountability, do you have financial penalties that touch their budget or something else? - If you have financial penalties, where does the money go? - Do you have an appeals process? Any input is appreciated. Thanks, Scott Scott Sweren Information Security Officer University of Delaware ssweren () udel edu
Current thread:
- Policy Enforcement Scott Sweren (Mar 26)
- <Possible follow-ups>
- Re: Policy Enforcement Vik Solem (Mar 26)
- Re: Policy Enforcement Valdis Kletnieks (Mar 26)
- Re: Policy Enforcement John Ladwig (Mar 26)
- Re: Policy Enforcement Valdis Kletnieks (Mar 26)
- Re: Policy Enforcement Jeff Kell (Mar 26)