OK, gang - this is the last week! We are now going to assess an IT Usage Policy from an institution of higher learning. Using a check list that an IT manager might use, and using the knowledge we've gained from the different ethical policies reviewed, answer one of the following questions. Please see the instructions below...
Read the IT Usage Policy for the University of Cincinnati (See the Discussion Board on WebCT). Use the Manager’s Checklist to evaluate the University’s proposed IT Usage Policy (After University Policy on WebCT). Using the checklist, answer one of the four following questions:
1. Are all of the key issues covered by this policy? If not, which ones need to be addressed.
2. Is the statement of enforcement clear and strong? If not, how would you reword this section of the policy?
3. How would you ensure that this policy is communicated and understood by the broad group of IT users at the University – students, professors, research people, administrative support staff, contractors, and part-time workers?
4. Examine the IT usage policy in effect at your institution or company. Write a brief paragraph identifying its strengths and weaknesses.
Use complete sentences and thoroughly answer the questions. After posting your response, comment on at least one of your classmates’ postings (3-5 sentences).
6 comments:
IT User Management - Answer to Question #3
“How would you ensure that this policy is communicated and understood by the broad group of IT users at the University – students, professors, research people, administrative support staff, contractors, and part-time workers?”
Communications
For students, this can be done by providing information in their welcome packages and as one of the sessions during orientation. For employees, this can be done as part of their employee orientation. For all other incidental affiliates, this can be communicated as part of their contract or initial contact or start of relationship with the University and stated as one of the conditions for continued affiliation. Beyond the initial communication, the information should be clearly placed and easily found on the University website. Periodic reminders of the policy as part of news releases or bulletins can be used. It can also be communicated during planned awareness weeks and key persons (such as department heads and representatives of the student government) can be targeted and charged with the responsibility to remind their constituents.
Understanding
Understanding is harder to determine since tests (for objective information gathering) on such issues cannot be mandated. Subjective responses or self reports are harder to evaluate for validity of responses. None-the-less, surveys could be used to gather the required information. Polls or trivia sessions could be held during awareness weeks and sent out to the entire community of users. Violators could be made to read the policy and answer questions on it before their network accounts are unlocked. Locking of accounts can be placed in the policy as one of the disciplinary actions that would be taken for violations. Open forums during awareness weeks can be held to allow persons the opportunity to ask questions and receive feedback or answers. This can also be achieved with online FAQs and links to ask questions and receive feedback. Awareness of the rules is one issue but providing the necessary training to ensure persons can adhere to the rules must also be looked at. This can aid in the understanding for those persons who need extra assistance.
Response to Week 3, Topic 4
I recently reviewed the IT usage policy for our organization, and it’s called “FBI Information Technology and Information Systems Rules of Behavior for General Users Agreement Form.” This four-page agreement begins with the Purpose, which is to “outline the acceptable and unacceptable uses” of our IT systems. However, near the end (right before the signature block) it becomes a little more specific, stating its intention to “verify that individual signatories are aware of the rules of behavior that govern access” to FBI IT systems.
The policy is very detailed and references nine published federal government policies related to IT usage. It immediately puts the user on the hook with a Statement of Responsibility, where the user states that he is responsible for all IT he brings into agency space, all activity done under his logon, and the protection of all agency information with which he has contact.
This is followed by a long list of Rules of Behavior, including consent to monitoring, protection of passwords, marking of all media, dissemination to cleared personnel, information security (INFOSEC) training, and the obligation to report improper use. This section is followed by Expressly Prohibited Behavior, but at times this list of “don’ts” is duplicative of the previous list of “dos.” For example, in the Rules of Behavior the user agrees to “protect my password” while an Expressly Prohibited Behavior is to “reveal my password.”
In general, our IT usage policy covers everything on the Manager’s checklist, including consequences for violating the policy: A security violation that can result in anything from denial of access and dismissal to criminal prosecution.
Response to Avril's post, Answer to Question #3:
In organizations with which I've been associated, a user does not even get a computer logon account until he/she signs the IT usage agreement. As you suggested, it has been a part of the "Welcome packet" or "Check-in List" when a new employee arrives. Reminders of the usage policy are communicated via e-mail (usually right after a recent incident), and at all-hands meetings, when we usually cover the OSHA, EEO, and other mandatory training.
In ensure ongoing understanding, our organization requires that each user pass a web-based training course on Information Security (INFOSEC). This course - required annually - serves as an electronic means of tracking user understanding of the policy and ongoing acknowledgment of the IT usage requirements.
“Examine the IT usage policy in effect at your institution or company. Write a brief paragraph identifying its strengths and weaknesses.”
The Acceptable Usage Policy in effect at the University of Southern Nevada (USN) is largely generalized. While this type of policy is intended to be broad, the policy does not touch on topics specific to systems now widely used at USN. First, there is no mention of the USN information system and the sensitive data housed therein. As this system is used by most internal constituents, it should be at least briefly addressed. The USN information is relatively new and a usage policy is in process by the University Information System committee; however, updates of all technology related policies should be timely.
Secondly, how the policy applies to temporary, part-time, and contract workers is not specified. This is a very large hole in the overall policy. For example, the largest college annually employs temporary clerical workers to process the high volume of admissions applications. There is no evidence these workers, who deal with sensitive student information such as social security numbers, are made aware of the policy or sign any type of document agreeing to the stipulations. Further, there is no clear manner of disciplinary action should a temporary or contract worker violate any part of the usage policy.
Thirdly, there is no instructional aspect defined in the policy. No evidence is provided that any training regarding appropriate passwords, sharing of user identification, or even leaving one’s computer “open” when logged in to USN information systems. Without appropriate and frequent training, and reiteration of the policy and how it applies to constituents, the policy cannot be effective.
Lastly, as mentioned on the Manager’s Checklist document, there is no mention of a firewall or, if one is in place, how it is monitored and maintained. Central systems must be adequately protected from both external and internal threats. Moreover, once in place, the precautionary appliances, software, and practices should be continuously updated and reviewed to keep up with constantly changing threats.
Response to Rick’s post – Week 3
Surely, when our technology policies grow up, they want to be like the FBI’s clearly thorough policy (smile). It is evident from Rick’s description that the policy covers all applicable aspects, no doubt those in the Manager’s Checklist provided by Professor Jeremy, as well as many not mentioned. The “Statement of Responsibility” is, however, something I think would be a good addition to any Technology Usage Policy. While many I speak to regarding usage of technology resources get that “glazed over” look when reviewing any such policy, having a clear and succinct statement such as Rick mentioned could get the primary meaning across from the start. I plan to, as with the other constructive criticisms mentioned in my own post regarding USN’s Acceptable Use Policy, revise the policy with something of similar nature and recommend to the appropriate USN governing bodies.
Response to Rick
I believe the type of organization would dictate how comprehensive the IT Usage Policy would be. With an organization such as the FBI, I would be surprised if Rick did not report the level of detail in the policy that he did. It is quite impressive. I especially like the redundancy and the holding persons accountable just before they sign. No one should be able to claim ignorance. Other institutions, although not as mission critical as the FBI, could learn a lot by reviewing such a policy.
Post a Comment