Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Freedom versus Security
From: "Jacobson, Dick" <dick.jacobson () NDUS EDU>
Date: Mon, 10 Dec 2012 19:42:28 +0000

We took a little different spin saying "anything that uses our Higher Ed resources needs to follow our policies" 
whether we own the device or not.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Shamblin, Quinn
Sent: Monday, December 10, 2012 1:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Freedom versus Security

This is something anyone that has put written policies in place has probably faced.  The way we handeled it was to talk 
in terms of choices:  "If you choose to use your own machine to conduct business, it is your responsibility to ensure 
that your machine meets these security requirements."  We put talk about it in diplomatic terms, but to put it in blunt 
language, it boils down to this: It may be your machine, but it is our data and these are the requirements if you want 
access to it.

Our policies are found here:  http://www.bu.edu/infosec/policies/data-protection-standards/
But this one is where you really see that discussed: 
http://www.bu.edu/tech/policies/info-security/1-2-e-minimum-security-standards/   Look under the "Minimum Security 
Standards for Personally Owned or Personally Managed Devices" heading.

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  -  O 617-358-6310  M 617-999-7523
Contact me securely: https://securecontact.me/qrs () bu edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE 
EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Russ Leathe
Sent: Monday, December 10, 2012 2:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Freedom versus Security

Silly question, but...

Have you had the discussion (with Staff and/or Faculty) about your policy's "controlling nature" regarding electronic 
security? Currently, we are actively implementing our WISP (Written Information Security Policy), according to State 
and Federal Guidelines.  Unfortunately, we are getting some push back.

One in particular, a personally owned laptop must adhere to the Colleges guidelines of authentication.

If you have run into this scenario, how did you resolve it?

Thanks,

Russ





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]