Re: Web Content Filtering

[Kevin Reedy <KReedy () EXCELSIOR EDU>]

Hi Don,

An interesting proposition.  Each organization has a very personal approach
to most things security, this is no exception.

The most common approach advocated by IT, HR and Legal in my experience is
to block only pages that can cause harm to the workplace.  Malware/viruses,
illegal file sharing, porn, maybe a few others.

It gets more interesting when some of the business managers get involved,
usually they want to block shopping, social media, etc.  If this is allowed
it usually doesn't last very long, or the exception process becomes tedious
to maintain.   I've implemented this twice at two organizations only to
have them fall back on the basics above after some time frame.

I would suggest that the tool is there to protect the network, provide logs
files on usage if needed for HR or legal actions, but that it is not
designed to be a babysitter or to 'give managers one less thing to worry
about'.

If the University really feels that recreational pages need to be blocked,
they should also play gatekeeper in the exception process.  It could come
into the helpdesk, they can pass along to IT Security analyst, who reaches
out to the users, ascertains need, and without comment to user they pass
this information along to the University gatekeeper, who is the final
decision maker.  In my former life this was the COO, who after 3 months of
dealing with exceptions told me let's find an easier way to do it.  We
settled on the above, and while not every line manager was happy about
facebook coming back, it was a much better position for IT and Security to
maintain.

We do some basic blocking here, it works fine. The only issue we run into
occasionally is when an otherwise safe site gets compromised, the software
knows it and blocks it for us, but then the users are upset they can't get
to the known good (but not at this exact moment) site.

-Kevin

Kevin Reedy
Executive Director, Information Security
Excelsior College
(518) 464-8720



From:   Donald Welch <djwelch () UMICH EDU>
To:     SECURITY () LISTSERV EDUCAUSE EDU,
Date:   04/22/2015 01:08 PM
Subject:        [SECURITY] Web Content Filtering
Sent by:        The EDUCAUSE Security Constituent Group Listserv
            <SECURITY () LISTSERV EDUCAUSE EDU>



Colleagues,
I'm the new CISO for the University of Michigan.  I look forward to meeting
you and working with you.  One of my first issues is web content filtering.

I've been asked whether any other higher education institutions implement
web content filtering and if so what groups to you filter for and what
kinds of content.  If you wish, I'd also welcome your opinion on how well
it works.

This has started with our health system and my guess is that would be our
focus if we went forward.  However, one of our Trustees has been
questioning why we don't filter across the University.  I have to go to an
initial meeting Friday afternoon, so any info you can give me before then
would be much appreciated.

Sincerely,
Don

Donald J. Welch, Ph.D.
Chief Information Security Officer
University of Michigan
734-615-0334


This message and any attachments contain confidential  Excelsior College information intended for the specific 
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.