[unisog] GBLA policy examples

James Goldston jgoldston at sses.net
Thu Jul 17 17:36:46 GMT 2003

> -----Original Message-----
> From: Phillip G Deneault [mailto:deneault at WPI.EDU]
> Sent: Thursday, July 17, 2003 10:02 AM
> To: James Goldston
> Cc: Christopher Cramer; unisog at sans.org
> Subject: RE: [unisog] GBLA policy examples
> On Thu, 17 Jul 2003, James Goldston wrote:
> > In the Georgetown link, I notice it states they have a "GLBA Information
> > Security Program."  Interesting.  Wonder if they also have a regular 'ol
> > "Information Security Program" (I see they have a "University
> Information
> > Security Policy")?
> I've been in the process of trying to define an IT policy for my
> university for a while now(accounting for politics and such).  This GBLA
> thing is annoying me because I'd rather have a univeristy-wide
> security policy first ...

Absolutely.  (Recommendation: try to distinguish between Program and Policy
and try to help those who must vet the Program understand the difference.
If you ask me to distinguish them for you, I'll respond by saying you go
first. :))  Like I said, I don't want to write the paper here, but would
suggest that you think in terms of the difference a "Policy" vs. a "Program"
would have to effect culture change).

> before I have some random government-required edict
> that might actually limit my implimentation.  At the very least, I'll
> probably end up having to change the GBLA policy later to account
> for this
> new information.

> On a brighter note, a random government-required edict is just the tool I
> need to bash the proverbial square peg that is my university security
> policy into the round hole of my IT division. :-)

Yes.  Too bad that is the language they understand more so than best
practice/good  practice/ industry practice and the like.

Good luck!

More information about the unisog mailing list