Educause Security Discussion mailing list archives
Re: SECURITY Listserv Instructions and ParticipationGu idelines
From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Sun, 7 Jul 2002 19:28:56 -0500
At 18:36 -0400 7/07/02, Randy Marchany wrote:
Are you talking about S.1901.IS?
Yes.
>(no single standard will work for every environment,something that proponents of this kind of thing don't seem to understand).I thought the draft that I read simply stated that the edu adhere to a standard and not necessarily a specific one.
The amendment said that NIST had 6 months to come up with a set of standards that all contractors and agencies would have to meet.
There are a number of "standards" like the SANS and CIS benchmarks that could be applied to most edus without serious impact.
Note you said "most" and "serious". The problem with "standards" is they either don't take into account real needs and differences, or else they are so watered down as to be meaningless. The first set of CIS standards on Cisco routers, for instance, if mandated on our router would have DECREASED the security of our site! It is also a huge problem if the standards can't be met without additional funding that also isn't provided. In particular, any new standards for security may well push some predominantly minority institutions off the net -- many of them have trouble funding basic access with old equipment as it is. Several of the tribal colleges, for instance, may not be able to stay online if there are requirements for firewalls, IDS, smartcards or anything else with a non-zero cost. Despite what the President says, the digital divide exists and is growing.
I know we've done that here at VA Tech. The problem has always been to get the upper administration to focus on security.
VA Tech must have more money than other places. I'm sure it has more than most HBCUs and Tribal colleges. Then there is the economy. Several states are in recession and are enforcing mandatory furloughs for employees, including faculty. Others are taking money away from programs for the disabled, the unemployed and the indigent. All those states need is another set of unfunded mandates for the schools and universities. Think they are going to allocate more state money to make up for it? (Hint: rhymes with "hello") Then there are the small private schools that are operating in the red. If they raise fees to cover new costs, many students can't get the financial aid to pay the difference (because it hasn't been increased). Thus, they lose students and fees both. Not good in bad economic times. The problem is that the people who want to make the rules don't sufficient knowledge of the impact they will have.
BTW, I was looking at the bill (via thomas.loc.gov) and didn't see the amendment. Where is it?
I dunno. It is the markup version that the committee will eventually report to the floor. It is still "in conference" so they may not have the amendments listed. --spaf ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/cg.html.
Current thread:
- Re: SECURITY Listserv Instructions and ParticipationGu idelines St. Laurent, Tim (Jul 03)
- <Possible follow-ups>
- Re: SECURITY Listserv Instructions and ParticipationGu idelines Gene Spafford (Jul 03)
- Re: SECURITY Listserv Instructions and ParticipationGu idelines Randy Marchany (Jul 07)
- Re: SECURITY Listserv Instructions and ParticipationGu idelines Gene Spafford (Jul 07)
- Re: SECURITY Listserv Instructions and ParticipationGu idelines Randy Marchany (Jul 07)
- Re: SECURITY Listserv Instructions and ParticipationGu idelines Gene Spafford (Jul 07)