Re: policy question?

["Dr. Wole Akpose" <wole.akpose () MORGAN EDU>]

The key is to ensure that machines that connect to your network meet
whatever security-requirements you have in place to protect against and
mitigate threats. Our experience is that by requiring that machines meet a
basic set of requirement, and using NAC for enforcement, we have been able
to limit the number of infections due to "strange" machines.

 

If data loss prevention is not your objective here, this might be
sufficient. If however, you have DLP concern, your worries might go beyond
staff and their personal computers on University campus network. Also
regarding student access to confidential information, when presented with
this kind of question, I always ask back "who is a student?" In our school
where many administrators return to class to get that next degree, do you
stop them from doing their jobs?

 

A general policy of need to know, and one that hold users accountable may be
more valuable than a blanket ban.

 

I realize that every institution is different, and that reality, more than
anything else should dictate the exact wordings of your policy.

 

Wole Akpose.

Morgan State University.

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Thursday, October 28, 2010 3:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] policy question?

 

Excellent question - we were just wondering about this ourselves!!  We've
got faculty and staff bringing in personal equipment and asking us to
connect them to the "business network".  In some cases - we've complied -
but now, I'm asking whether this is appropriate.  It even comes down to
asking us to install software on a college-owned system to allow them to
sync their personal cell phone with the system (e-mail, calendars, etc.)
For the most part - this is pretty benign, but what if they sync a message
that has FERPA, budget, or other flavors of data in it?

 

Thanks...looking forward to the responses..

 

M

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand S Malwade
Sent: Thursday, October 28, 2010 1:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] policy question?

 

I was wondering if other institutions have a general Policy that

 

a)       explicitly prohibits Employees and administrators from using
personal laptops or computing equipment for conducting university business ?
The Assumption is that they are provided university owned equipment with
standard images with up to-date security updates and protection. 

b)      Prohibits Student Workers/GA's from handling confidential
information when working with certain departments.

 

 

Thanks,

Anand

 

 

 

Anand Malwade

IT Security

Seton Hall University

 

  


-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is 
believed to be clean. 


-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is 
believed to be clean.