Re: Getting input on campus minimum security standards

Hi Johnathon, Craig ... and everyone else involved in creating and
refining the campus's minimum security standards,

   First, thanks for all your hard (and pathbreaking) work on this
truly important effort!

At 12:18 -0700 2004-06-23, Johnathon P Kogelman wrote:
>Second from my IT role in Chemistry:
>I have to wonder why these issues weren't raised in Jan-March of
>this year, when the sub-committee was requesting input, feedback,
>and hosted meetings at different Campus levels. The MSS (Minimum
>Security Standards) have been published for roughly three months,
>enough time for Departments to plan for the '04-'05 FY and try to
>off set the costs of replacement systems/OSs.

   Here is some more feedback concerning some other reasons why "these
issues weren't raised in Jan-March of this year," and are only now
surfacing on Micronet, MAGNet, and other such lists:

   1) There was a single email announcement to Micronet, pcsystems,
      and the ucb-security lists, by Craig Lant on February 11.
      This was echoed as an IST News item on February 24.

      This announcement didn't go out to MAGNet or webnet, for instance,
      so the net wasn't cast as widely as possible.

   2) There was no follow-up announcement sent out during that
      three month period. Just one email message was sent.

   3) This email message did not ask for feedback
      on the standards and implementation guidelines.

      Rather, it presented the policy as a fait accompli and
      offered only the opportunity to ask questions.

      What this message didn't make clear is that changes
      to the minimum security standards and their implementation
      guidelines - in contrast to the overall security *policy* - were
      still welcome. Read the announcement below yourself and see
      if you can spot any wording that actively solicits feedback.

      (Hint: being asked to "determine the impact on your department or
      unit and ensure that steps are taken to comply" is not feedback.)

At 16:48 -0800 2004-02-11, Craig Lant wrote:
>In response [to various network attacks on campus computers], the
>Campus Information Security Committee (CISC) has
>developed a set of minimum security standards to be met by any device
>connected to our network. The policy defining these standards and their
>implementation was unanimously approved by the e-Berkeley Steering
>Committee on January 29th and can be found at:
>
>http://security.berkeley.edu/MinStds
>
>Because the impact of these standards is so broad and implementation
>will take some time, a one year implementation period is in effect
>ending on February 1st, 2005. It's very important for everyone to take
>this time to ensure that all computers under their control are brought
>into compliance with these standards. Administrative officials should
>review this policy and the accompanying implementation guide to
>determine the impact on your department or unit and ensure that steps
>are taken to comply. Once the implementation period is over, any
>non-compliant computers will be subject to being disconnected from the
>network.
>
>Questions about this policy can be sent to security-policy@berkeley.edu.
>
>This new policy is part of the foundation of policies and procedures
>designed to strengthen UC Berkeley's growing online environment.

   4) As noted in a previous email message, as well as in Charles James'
      feedback, the implications of the standards and their implementation
      weren't in many cases made plain: what computing support providers
      and their departments were being asked to give up, buy, upgrade,
      and support as a result of these proposed changes, as well as the
      concrete benefits expected from these changes.

      Since the policy itself, the standards, and the implementation
      guidelines may not be appropriate places to put plain language
      of this type :-), supplementary announcements, email discussions,
      meetings, and the like would need to fill that need. We're just
      now starting to see this occur on the user group lists ...

   5) Input on the *policy* was directly solicited via a message from
      Karen Eft, as well as at a Micronet meeting, in September 2003.

      However, to the best of my knowledge, there has been no
      follow-up meeting or email message to Micronet, ucb-security,
      et al., asking for feedback on the "meat and potatoes" parts
      of the campus minimum security standards: the *standards*
      and their *implementation guidelines*. This was requested solely
      regarding the overall policy back in September last year.

   Hopefully the feedback above may be helpful when planning future
efforts which will solicit feedback, both concerning the minimum
security standards and any other campus computing initiatives. And
yes, this is hard stuff to do well ...

Aron Roberts
Workstation Software Support Group

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Wed Jun 23 14:02:32 2004