Educause Security Discussion: Re: Freedom versus Security

Educause Security Discussion mailing list archives

Re: Freedom versus Security

From: Daniel Bennett <daniel.bennett () PCT EDU>
Date: Mon, 10 Dec 2012 20:23:53 +0000

We have taken a similar approach...

http://www.pct.edu/its/Policy.htm

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Jacobson, Dick
Sent: Monday, December 10, 2012 2:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Freedom versus Security

We took a little different spin saying "anything that uses our Higher Ed resources needs to follow our policies" 
whether we own the device or not.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Shamblin, Quinn
Sent: Monday, December 10, 2012 1:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Freedom versus Security

This is something anyone that has put written policies in place has probably faced.  The way we handeled it was to talk 
in terms of choices:  "If you choose to use your own machine to conduct business, it is your responsibility to ensure 
that your machine meets these security requirements."  We put talk about it in diplomatic terms, but to put it in blunt 
language, it boils down to this: It may be your machine, but it is our data and these are the requirements if you want 
access to it.

Our policies are found here:  http://www.bu.edu/infosec/policies/data-protection-standards/
But this one is where you really see that discussed: 
http://www.bu.edu/tech/policies/info-security/1-2-e-minimum-security-standards/   Look under the "Minimum Security 
Standards for Personally Owned or Personally Managed Devices" heading.

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  -  O 617-358-6310  M 617-999-7523
Contact me securely: https://securecontact.me/qrs () bu edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE 
EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Russ Leathe
Sent: Monday, December 10, 2012 2:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Freedom versus Security

Silly question, but...

Have you had the discussion (with Staff and/or Faculty) about your policy's "controlling nature" regarding electronic 
security? Currently, we are actively implementing our WISP (Written Information Security Policy), according to State 
and Federal Guidelines.  Unfortunately, we are getting some push back.

One in particular, a personally owned laptop must adhere to the Colleges guidelines of authentication.

If you have run into this scenario, how did you resolve it?

Thanks,

Russ

By Date By Thread

Current thread:

Freedom versus Security Russ Leathe (Dec 10)
- Re: Freedom versus Security Shamblin, Quinn (Dec 10)
  - Re: Freedom versus Security Jacobson, Dick (Dec 10)
    - Re: Freedom versus Security Daniel Bennett (Dec 10)
    - Re: Freedom versus Security Mertz, Brian E (Dec 10)
- <Possible follow-ups>
- Re: Freedom versus Security SCHALIP, MICHAEL (Dec 10)
  - Re: Freedom versus Security Russ Leathe (Dec 11)
    - Re: Freedom versus Security Louis APONTE (Dec 11)