Educause Security Discussion mailing list archives
Re: Freedom versus Security
From: "Mertz, Brian E" <bmertz () ILLINOIS EDU>
Date: Mon, 10 Dec 2012 21:31:20 +0000
One non-policy way that we have framed this issue in the past is to actually state that we give our employees MORE freedom than other work environments. We like to point out that many corporate environments monitor and block emails based on keywords in the emails, that many businesses will restrict what web sites employees can visit, and many companies will not allow outside devices on their networks. We explain that from a security standpoint, such a tightly locked down environment is much easier to centrally protect than a network that is as open as ours. But because we value academic freedom, we do not lock down our network in the ways that many businesses do. Unless you have a faculty or staff member that is totally insulated in academia, most will know a friend or family member who works in one of these far more restrictive corporate online environments. As you're making this point, they'll probably recall a story from that friend about being unable to reach YouTube or another site from work, and the notion that the University environment is MORE open will take hold. At that point, we like to drive home the idea by noting that the increased freedom on our network comes with more responsibility for the end user. We make it clear that our security office can not guard an "open" network by itself, and therefore, we need to enlist the help of our end users to keep our University network and data safe. Most people seem to not only understand, but they buy into this concept that we are asking them to help protect our network by taking better care of their accounts and their data. Once you get a faculty or staff member to that point of thinking, all security policies and best practices come off as ways of teaching them to better protect the online freedom that we give them on our network. University employees have a lot of freedom on our network, but they also have the responsibility to help protect those freedoms by being responsible on our network. If they want a free and open network, they have to help preserve it by being secure online. So to get back to the original issue… I doubt any of your new policies are blacklisting web sites or monitoring email or anything that will change the day to day habits for most employees. Most likely, you're just codifying best practices that many people already follow. To the ones that have complaints about authentication, point out that in order to have a network that is fast, stable and free, we need to make sure only people authorized to be on our network are using it. Employees at your university have freedoms that many corporate employees don't — namely, they can hook up their own devices to the University's network. But in order to do that, it's the employee's responsibility to help protect that network by logging in when they bring a personal device. None of this codifies well into policy. But if you can frame your education/outreach in this form, you'll find a lot more buy-in than saying that you're protecting employee's from their own bad behaviors (which, of course, we are doing as well). Showing people how security empowers them online makes them far more likely to buy into security practices than saying that as employees they have to follow rules because the university says so or because a certain practice is the best way to guard the university's data. -- Brian Mertz Chief Communications Officer Campus Information Technologies and Informational Services (CITES) University of Illinois at Urbana-Champaign bmertz () illinois edu twitter.com/cites From: Daniel Bennett <daniel.bennett () PCT EDU<mailto:daniel.bennett () PCT EDU>> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Monday, December 10, 2012 2:23 PM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Freedom versus Security We have taken a similar approach… http://www.pct.edu/its/Policy.htm From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jacobson, Dick Sent: Monday, December 10, 2012 2:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Freedom versus Security We took a little different spin saying “anything that uses our Higher Ed resources needs to follow our policies” whether we own the device or not. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shamblin, Quinn Sent: Monday, December 10, 2012 1:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Freedom versus Security This is something anyone that has put written policies in place has probably faced. The way we handeled it was to talk in terms of choices: “If you choose to use your own machine to conduct business, it is your responsibility to ensure that your machine meets these security requirements.” We put talk about it in diplomatic terms, but to put it in blunt language, it boils down to this: It may be your machine, but it is our data and these are the requirements if you want access to it. Our policies are found here: http://www.bu.edu/infosec/policies/data-protection-standards/ But this one is where you really see that discussed: http://www.bu.edu/tech/policies/info-security/1-2-e-minimum-security-standards/ Look under the “Minimum Security Standards for Personally Owned or Personally Managed Devices” heading. Quinn R Shamblin ------------------------------------------------------------------------------------------------ Executive Director of Information Security, Boston University CISM, CISSP, GCFA, PMP – O 617-358-6310 M 617-999-7523 Contact me securely: https://securecontact.me/qrs () bu edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]>On Behalf Of Russ Leathe Sent: Monday, December 10, 2012 2:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Freedom versus Security Silly question, but… Have you had the discussion (with Staff and/or Faculty) about your policy’s “controlling nature” regarding electronic security? Currently, we are actively implementing our WISP (Written Information Security Policy), according to State and Federal Guidelines. Unfortunately, we are getting some push back. One in particular, a personally owned laptop must adhere to the Colleges guidelines of authentication. If you have run into this scenario, how did you resolve it? Thanks, Russ
Current thread:
- Freedom versus Security Russ Leathe (Dec 10)
- Re: Freedom versus Security Shamblin, Quinn (Dec 10)
- Re: Freedom versus Security Jacobson, Dick (Dec 10)
- Re: Freedom versus Security Daniel Bennett (Dec 10)
- Re: Freedom versus Security Mertz, Brian E (Dec 10)
- Re: Freedom versus Security Jacobson, Dick (Dec 10)
- Re: Freedom versus Security Shamblin, Quinn (Dec 10)
- <Possible follow-ups>
- Re: Freedom versus Security SCHALIP, MICHAEL (Dec 10)
- Re: Freedom versus Security Russ Leathe (Dec 11)
- Re: Freedom versus Security Louis APONTE (Dec 11)
- Re: Freedom versus Security Russ Leathe (Dec 11)