[unisog] Academic Freedom

Martin, James E. martin at more.net
Fri Oct 18 15:14:04 GMT 2002


My two best friends at our university in terms of security policies and day-to-day enforcement are the auditors and the general counsel's office. If they are convinced, they can quickly change policies and practices. 

Sometimes I have to wait for a "learning experience" to make a particular policy issue real; after that, change happens rather rapidly. I've found event tracking to be a major asset in making arguments. Our security team has six years worth of security events in the database, searchable by downstream network, event type and so on. We've built standard weekly reports that flag the top ten problem networks downstream, and provide a summary and status for each event (>2800 last year). Due diligence issues pop out rather quickly. 

Once we framed our top-level AUP to raise due diligence issues (ours has a clause on "intentional or negligent interference with normal network use and service") and began having disucssions with counsel on due diligence and best practices, life got better. Business didn't get any slower, but we started seeing progress. 

Hope this helps!
Jim

========================================
James E. Martin                           
MOREnet Network Security Coordinator 
University of Missouri System                     
voice: 573-884-7200   fax: 573-884-6673
========================================


-----Original Message-----
From: Bill Mowery [mailto:bill.mowery at sc.edu]
Sent: Wednesday, October 16, 2002 9:37 AM
To: unisog at sans.org
Subject: RE: [unisog] Academic Freedom


Folks,

This is all an intellectually stimulating conversation, but from my 
experience and perspective reality is:

* Universities are the property and playground of the academics. Staff and 
other lower forms of life are to be tolerated.

* If it comes down to your opinion and that of academia, you lose - period 
- regardless of the validity of your perspective.

* Things like responsibility, data security, and the common good are fine 
ideas on paper - until they inconvenience the academic community in some way.

* Any academic, regardless of education, experience, or background knows 
more about what's good for computing technology than you do.


If this sounds a bit cynical, perhaps it is. After objecting to things such as:

* Networks allowed to participate in DOS attacks because we "don't want to 
upset dept. X".
* Invasion of privacy in email systems by system admins.
* Objecting to what "could have been" the coverup of athletic recruiting 
violations using technology.
* Objecting to putting into production a new enterprise-wide online 
instructional system at the beginning of a semester when the vendor was 
only able to install it two days ago.

I now find myself out of a senior management position with a drastic salary 
cut and no job (here it's called the "Penalty Box" although I'm the only 
one to ever have a salary cut while I have Time Out).

The rule is: it doesn't have to make sense, it doesn't have to be ethical 
or honest, and it doesn't have to do with the common good. The only thing 
that matters is that you don't think about anything that might tarnish the 
reputation of the institution and don't dare infringe on rights, real or 
perceived, of the academic community.


At 02:55 PM 10/15/2002 -0500, you wrote:
>Ah, a sense of entitlement and being indignant about it. One of the many 
>charms of higher-ed....
>
>

"No man is justified in doing evil on the ground of expediency."
- Theodore Roosevelt



More information about the unisog mailing list