Educause Security Discussion mailing list archives
[SECURITY]
From: Tracy Beth Mitrano <tbm3 () CORNELL EDU>
Date: Sat, 13 Jun 2015 20:13:21 +0000
If you think you ring the bell of one of these conditions, Rosella, I would have legal counsel together with the CIO review the matter and then work with federal law enforcement (local technical arm of F.B.I. or federal prosecutor in your area, D.O.J.) to determine the specifications. Feel free to write me separately if you think a chat would help more. Thanks, Tracy On Jun 13, 2015, at 3:46 PM, Rossella Mariotti-Jones <rossella.mariotti.jones () CHEMEKETA EDU<mailto:rossella.mariotti.jones () CHEMEKETA EDU>> wrote: Hello Tracy, one of these situations applies to us, so we already know we have to comply, unless we change the situation which will take some time. We have our network designed in such a way that we can pretty easily identify where the feds would need to plug in to get the traffic they need, and in the very near future well roll out user ID for 90% of our internal users. What I'm trying to do is figure out if this is enough to say "yes we are compliant". On Jun 13, 2015 00:26, "Tracy Beth Mitrano" <tbm3 () cornell edu<mailto:tbm3 () cornell edu>> wrote: Rosella, I agree with what Mark outlined and will add for more clarification that unless your network supplies the public with Internet service, as for example with a fee, or it connects directly to the Internet, instead of going through a commercial provider, the network is exempt from CALEA. Best, Tracy On Jun 12, 2015, at 6:31 AM, Berman, Mark <mberman () siena edu<mailto:mberman () siena edu>> wrote: Rosella, I think the articles you are reading are from when CALEA was first passed and interpretations had not been written. The commonly accepted reading of the law now is that it exempts "private networks" and most higher ed institutions define themselves as private networks. There has been some "forgetting" about CALEA in recent years and I've read postings on this list about colleges who allow open access to their networks; my take is that if you run some kind of Network Access Control (NAC) and only allow full access to people with accounts in your system, along with guest access where people register their names and reasons for being on campus, then you can in good faith define yourself as "private" and exempt from CALEA. I remember the ALA (libraries) issuing a legal opinion that libraries were exempt for other reasons and that opinion is available on the Educause site here: http://www.educause.edu/library/resources/libraries-are-exempt-calea-wiretap-obligations Bottom line, it's a lot easier to declare yourself exempt than to spend money on hardware to try and comply. As far as I know this has never been litigated and until it is and a judge says I'm wrong, I'll stand on that opinion. - Mark -- Mark Berman, Chief Information Officer Siena College 515 Loudon Road Loudonville, NY 12211 (518)782-6957, Fax: (518)783-2590 Siena College is a learning community advancing the ideals of a liberal arts education, rooted in its identity as a Franciscan and Catholic institution. CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply and destroy all copies of the original message. On 6-11-15, Rossella Mariotti-Jones Wrote: Hello all, I found the following FAQ on Educause and I have some questions about how the compliance technically works. At some point in the past when we were figuring out how to comply, someone suggested that as long as we can supply a span port on various key pieces of equipment we could be ok because the Feds will come in with their own boxes. Is this at all close to what happens in reality? and if not, what is the college required to provide? TIA. http://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/issues-and-positions/networking-and-telecommunications/tfaq rossella mariotti-jones | network analyst | information technology | chemeketa community college | p: 503-589-7775<tel:503-589-7775> | e: rmariott () chemeketa edu<https://mail.google.com/mail/?view=cm&fs=1&tf=1&to=rmariott () chemeketa edu>
Current thread:
- [SECURITY] Berman, Mark (Jun 12)
- [SECURITY] Kevin Wilcox (Jun 12)
- [SECURITY] Ben Marsden (Jun 12)
- [SECURITY] Persad, Nadira (Jun 12)
- [SECURITY] Ben Marsden (Jun 12)
- [SECURITY] Tracy Beth Mitrano (Jun 13)
- [SECURITY] Rossella Mariotti-Jones (Jun 13)
- [SECURITY] Tracy Beth Mitrano (Jun 13)
- [SECURITY] Rossella Mariotti-Jones (Jun 13)
- [SECURITY] Kevin Wilcox (Jun 12)