Educause Security Discussion: Re: Freedom versus Security

Educause Security Discussion mailing list archives
Re: Freedom versus Security
From: "Mertz, Brian E" <bmertz () ILLINOIS EDU>
Date: Mon, 10 Dec 2012 21:31:20 +0000
One non-policy way that we have framed this issue in the past is to actually state that we give our employees MORE 
freedom than other work environments. We like to point out that many corporate environments monitor and block emails 
based on keywords in the emails, that many businesses will restrict what web sites employees can visit, and many 
companies will not allow outside devices on their networks.

We explain that from a security standpoint, such a tightly locked down environment is much easier to centrally protect 
than a network that is as open as ours. But because we value academic freedom, we do not lock down our network in the 
ways that many businesses do.

Unless you have a faculty or staff member that is totally insulated in academia, most will know a friend or family 
member who works in one of these far more restrictive corporate online environments. As you're making this point, 
they'll probably recall a story from that friend about being unable to reach YouTube or another site from work, and the 
notion that the University environment is MORE open will take hold.

At that point, we like to drive home the idea by noting that the increased freedom on our network comes with more 
responsibility for the end user. We make it clear that our security office can not guard an "open" network by itself, 
and therefore, we need to enlist the help of our end users to keep our University network and data safe. Most people 
seem to not only understand, but they buy into this concept that we are asking them to help protect our network by 
taking better care of their accounts and their data.

Once you get a faculty or staff member to that point of thinking, all security policies and best practices come off as 
ways of teaching them to better protect the online freedom that we give them on our network. University employees have 
a lot of freedom on our network, but they also have the responsibility to help protect those freedoms by being 
responsible on our network. If they want a free and open network, they have to help preserve it by being secure online.


So to get back to the original issue… I doubt any of your new policies are blacklisting web sites or monitoring email 
or anything that will change the day to day habits for most employees. Most likely, you're just codifying best 
practices that many people already follow.

To the ones that have complaints about authentication, point out that in order to have a network that is fast, stable 
and free, we need to make sure only people authorized to be on our network are using it. Employees at your university 
have freedoms that many corporate employees don't — namely, they can hook up their own devices to the University's 
network. But in order to do that, it's the employee's responsibility to help protect that network by logging in when 
they bring a personal device.

None of this codifies well into policy. But if you can frame your education/outreach in this form, you'll find a lot 
more buy-in than saying that you're protecting employee's from their own bad behaviors (which, of course, we are doing 
as well).

Showing people how security empowers them online makes them far more likely to buy into security practices than saying 
that as employees they have to follow rules because the university says so or because a certain practice is the best 
way to guard the university's data.


--
Brian Mertz
Chief Communications Officer
Campus Information Technologies and Informational Services (CITES)
University of Illinois at Urbana-Champaign
bmertz () illinois edu
twitter.com/cites

From: Daniel Bennett <daniel.bennett () PCT EDU<mailto:daniel.bennett () PCT EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Monday, December 10, 2012 2:23 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Freedom versus Security

We have taken a similar approach…

http://www.pct.edu/its/Policy.htm

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Jacobson, Dick
Sent: Monday, December 10, 2012 2:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Freedom versus Security

We took a little different spin saying “anything that uses our Higher Ed resources needs to follow our policies” 
whether we own the device or not.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Shamblin, Quinn
Sent: Monday, December 10, 2012 1:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Freedom versus Security

This is something anyone that has put written policies in place has probably faced.  The way we handeled it was to talk 
in terms of choices:  “If you choose to use your own machine to conduct business, it is your responsibility to ensure 
that your machine meets these security requirements.”  We put talk about it in diplomatic terms, but to put it in blunt 
language, it boils down to this: It may be your machine, but it is our data and these are the requirements if you want 
access to it.

Our policies are found here:  http://www.bu.edu/infosec/policies/data-protection-standards/
But this one is where you really see that discussed: 
http://www.bu.edu/tech/policies/info-security/1-2-e-minimum-security-standards/   Look under the “Minimum Security 
Standards for Personally Owned or Personally Managed Devices” heading.

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  –  O 617-358-6310  M 617-999-7523
Contact me securely: https://securecontact.me/qrs () bu edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE 
EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]>On Behalf Of Russ Leathe
Sent: Monday, December 10, 2012 2:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Freedom versus Security

Silly question, but…

Have you had the discussion (with Staff and/or Faculty) about your policy’s “controlling nature” regarding electronic 
security? Currently, we are actively implementing our WISP (Written Information Security Policy), according to State 
and Federal Guidelines.  Unfortunately, we are getting some push back.

One in particular, a personally owned laptop must adhere to the Colleges guidelines of authentication.

If you have run into this scenario, how did you resolve it?

Thanks,

Russ
By Date By Thread
Current thread:
Freedom versus Security Russ Leathe (Dec 10)
- Re: Freedom versus Security Shamblin, Quinn (Dec 10)
  - Re: Freedom versus Security Jacobson, Dick (Dec 10)
    - Re: Freedom versus Security Daniel Bennett (Dec 10)
    - Re: Freedom versus Security Mertz, Brian E (Dec 10)
- <Possible follow-ups>
- Re: Freedom versus Security SCHALIP, MICHAEL (Dec 10)
  - Re: Freedom versus Security Russ Leathe (Dec 11)
    - Re: Freedom versus Security Louis APONTE (Dec 11)