Educause Security Discussion mailing list archives
Re: policy question?
From: "Dr. Wole Akpose" <wole.akpose () MORGAN EDU>
Date: Fri, 29 Oct 2010 08:15:35 -0400
The key is to ensure that machines that connect to your network meet whatever security-requirements you have in place to protect against and mitigate threats. Our experience is that by requiring that machines meet a basic set of requirement, and using NAC for enforcement, we have been able to limit the number of infections due to "strange" machines. If data loss prevention is not your objective here, this might be sufficient. If however, you have DLP concern, your worries might go beyond staff and their personal computers on University campus network. Also regarding student access to confidential information, when presented with this kind of question, I always ask back "who is a student?" In our school where many administrators return to class to get that next degree, do you stop them from doing their jobs? A general policy of need to know, and one that hold users accountable may be more valuable than a blanket ban. I realize that every institution is different, and that reality, more than anything else should dictate the exact wordings of your policy. Wole Akpose. Morgan State University. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL Sent: Thursday, October 28, 2010 3:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] policy question? Excellent question - we were just wondering about this ourselves!! We've got faculty and staff bringing in personal equipment and asking us to connect them to the "business network". In some cases - we've complied - but now, I'm asking whether this is appropriate. It even comes down to asking us to install software on a college-owned system to allow them to sync their personal cell phone with the system (e-mail, calendars, etc.) For the most part - this is pretty benign, but what if they sync a message that has FERPA, budget, or other flavors of data in it? Thanks...looking forward to the responses.. M From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand S Malwade Sent: Thursday, October 28, 2010 1:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] policy question? I was wondering if other institutions have a general Policy that a) explicitly prohibits Employees and administrators from using personal laptops or computing equipment for conducting university business ? The Assumption is that they are provided university owned equipment with standard images with up to-date security updates and protection. b) Prohibits Student Workers/GA's from handling confidential information when working with certain departments. Thanks, Anand Anand Malwade IT Security Seton Hall University -- This message has been scanned for viruses and dangerous content by <http://www.mailscanner.info/> MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by <http://www.mailscanner.info/> MailScanner, and is believed to be clean.
Current thread:
- policy question? Anand S Malwade (Oct 28)
- Re: policy question? SCHALIP, MICHAEL (Oct 28)
- Re: policy question? Dr. Wole Akpose (Oct 29)
- Re: policy question? randy marchany (Oct 29)
- Re: policy question? Joel Rosenblatt (Oct 29)
- Re: policy question? SCHALIP, MICHAEL (Oct 29)
- Re: policy question? Bristol, Gary L. (Oct 29)
- Re: policy question? randy marchany (Oct 29)
- Re: policy question? Valdis Kletnieks (Oct 29)
- Re: policy question? Dr. Wole Akpose (Oct 29)
- Re: policy question? SCHALIP, MICHAEL (Oct 28)
- <Possible follow-ups>
- Re: policy question? Rosenthal, Jane E. (Nov 04)
- Re: policy question? Soldi, Miguel (Nov 04)