Trust me, I'm a big believer in more communication (see my Calmail or
port-blocking emails regarding lack of communication). Could more of been
done? Yes, as always is the case on Campus. There were meeting<s> though,
at least for Department/College Directors & Budget people on Campus... ex:
>>Subject: Minimum Security Standards Policy Round Table
>>
>>You are invited to a round table discussion of the proposed new "Minimum
>>Security Standards for Networked Devices" developed by the Campus
>>Information Security Committee for the E-Berkeley Steering Committee.
>>
>>This draft policy, while urgently needed to help protect our campus
>>network, will have significant administrative and financial impact on
>>every department and impact practically every member of our community in
>>some fashion. Knowledgeable people from across the campus have been
>>working hard to develop this policy and we have been discussing it with
>>many campus groups.
>>
>>At this round table discussion, we would like to present this policy and
>>discuss its impact on your department from your perspective. We
>>recognize some of the difficulties involved in implementing this policy
>>and we would like to mitigate these and those that you identify as much
>>as possible. Your input is key to that process.
>>
>>Please take a few moments to review the draft policy and related material
>>(at http://security.berkeley.edu/MinStds/). We also would like to
>>encourage you to discuss this with others in your department (such as
>>systems administrator(s)) in order to gain a clearer understanding of its
>>impact. You're welcome to bring along any knowledgeable people from your
>>department as well.
>>
>>The round table discussion is scheduled for Friday, January 16th from
>>2:00 to 4:00 in 370 Dwinelle Hall. Please RSVP with the number of people
>>you expect to have with you.
I know that many departments did have reps at that meeting, I happened to
be one of two from Chemistry. Over all it was a good meeting, and the
impression I got was that there would be more meetings at different levels
on Campus. I can't speak to if there were more meetings, hopefully someone
from the committee could comment on that. (Also note I wasn't part of the
committee nor involved beyond the above posted meeting.)
We still have roughly 9 months left before the policy goes into full
effect, and (hopefully!) we will have a Micronet meeting to get into the
details of the Minimum Security Standards. The policy seems pretty solid
and I believe most of the current issues are with How-to-Implement, which I
will hazard a guess, is still open to discussion/feedback (hopefully
someone can comment on this).
Clearly you have show that not everyone has the same options to express
feedback, and hopefully this will be corrected with future Campus wide IT
policies. I also hope there is still time for IT folks on Campus to have
some input into how the policies should be implemented on Campus, as that
will effect more people that the actual policy.
jpk
At 02:00 PM 6/23/2004, Aron Roberts wrote:
>Hi Johnathon, Craig ... and everyone else involved in creating and
>refining the campus's minimum security standards,
>
> First, thanks for all your hard (and pathbreaking) work on this truly
> important effort!
>
>At 12:18 -0700 2004-06-23, Johnathon P Kogelman wrote:
>>Second from my IT role in Chemistry:
>>I have to wonder why these issues weren't raised in Jan-March of this
>>year, when the sub-committee was requesting input, feedback, and hosted
>>meetings at different Campus levels. The MSS (Minimum Security Standards)
>>have been published for roughly three months, enough time for Departments
>>to plan for the '04-'05 FY and try to off set the costs of replacement
>>systems/OSs.
>
> Here is some more feedback concerning some other reasons why "these
> issues weren't raised in Jan-March of this year," and are only now
> surfacing on Micronet, MAGNet, and other such lists:
>
> 1) There was a single email announcement to Micronet, pcsystems,
> and the ucb-security lists, by Craig Lant on February 11.
> This was echoed as an IST News item on February 24.
>
> This announcement didn't go out to MAGNet or webnet, for instance,
> so the net wasn't cast as widely as possible.
>
> 2) There was no follow-up announcement sent out during that
> three month period. Just one email message was sent.
>
> 3) This email message did not ask for feedback
> on the standards and implementation guidelines.
>
> Rather, it presented the policy as a fait accompli and
> offered only the opportunity to ask questions.
>
> What this message didn't make clear is that changes
> to the minimum security standards and their implementation
> guidelines - in contrast to the overall security *policy* - were
> still welcome. Read the announcement below yourself and see
> if you can spot any wording that actively solicits feedback.
>
> (Hint: being asked to "determine the impact on your department or
> unit and ensure that steps are taken to comply" is not feedback.)
>
>At 16:48 -0800 2004-02-11, Craig Lant wrote:
>>In response [to various network attacks on campus computers], the Campus
>>Information Security Committee (CISC) has
>>developed a set of minimum security standards to be met by any device
>>connected to our network. The policy defining these standards and their
>>implementation was unanimously approved by the e-Berkeley Steering
>>Committee on January 29th and can be found at:
>>
>>http://security.berkeley.edu/MinStds
>>
>>Because the impact of these standards is so broad and implementation
>>will take some time, a one year implementation period is in effect
>>ending on February 1st, 2005. It's very important for everyone to take
>>this time to ensure that all computers under their control are brought
>>into compliance with these standards. Administrative officials should
>>review this policy and the accompanying implementation guide to
>>determine the impact on your department or unit and ensure that steps
>>are taken to comply. Once the implementation period is over, any
>>non-compliant computers will be subject to being disconnected from the
>>network.
>>
>>Questions about this policy can be sent to security-policy@berkeley.edu.
>>
>>This new policy is part of the foundation of policies and procedures
>>designed to strengthen UC Berkeley's growing online environment.
>
> 4) As noted in a previous email message, as well as in Charles James'
> feedback, the implications of the standards and their implementation
> weren't in many cases made plain: what computing support providers
> and their departments were being asked to give up, buy, upgrade,
> and support as a result of these proposed changes, as well as the
> concrete benefits expected from these changes.
>
> Since the policy itself, the standards, and the implementation
> guidelines may not be appropriate places to put plain language
> of this type :-), supplementary announcements, email discussions,
> meetings, and the like would need to fill that need. We're just
> now starting to see this occur on the user group lists ...
>
> 5) Input on the *policy* was directly solicited via a message from
> Karen Eft, as well as at a Micronet meeting, in September 2003.
>
> However, to the best of my knowledge, there has been no
> follow-up meeting or email message to Micronet, ucb-security,
> et al., asking for feedback on the "meat and potatoes" parts
> of the campus minimum security standards: the *standards*
> and their *implementation guidelines*. This was requested solely
> regarding the overall policy back in September last year.
>
> Hopefully the feedback above may be helpful when planning future
> efforts which will solicit feedback, both concerning the minimum security
> standards and any other campus computing initiatives. And yes, this is
> hard stuff to do well ...
>
>Aron Roberts
>Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Wed Jun 23 15:00:28 2004
This archive was generated by hypermail 2.1.8 : Wed Jun 23 2004 - 15:00:28 PDT