Re: RIAA Moves Against College-Network Fileswapping

[Wayne Wilson <wwilson () UMICH EDU>]

It's interesting that a court case would find non-compliance with
policies to be sufficient for something akin to negligence.  It has been
the case with federal health regulations for quite some time that what
compliance investigators are really interested in is two things:

 Did your policies reflect the necessary regulations/laws.
 Do you have evidence that you followed these policies.

So it is indeed critical to have the proper policies in place as well as
the administrative systems to enforce them.  It is also critical to
beware of having policies that are more comprehensive than are needed to
be in compliance with applicable law, regulation and overall
instituitonal principles.  This kind of policy making activity is
extremely time consuming and difficult to work on and need a cross
representation from the entire instuition, not just one segment of it......

We have arguments over the above stated posistion whenever someone wants
to create a rule or policy to address a specific situation that is
troubling them at the moment.  Reactive policy making can lead to very
serious unintended consequences, but few are willing to put in the
effort for good pro-active policy making.

Wayne Wilson
University of Michigan Medical School Information Systems

Bruhn, Mark S. wrote:

> This supports the notion that policies shouldn't be written unless
> they are necessary for specific situations, and unless the
> organization has the means and desire to enforce them.  This is one
> of the reasons (though maybe not the most important) we don't have
> such a policy, and indeed this citation lends add'l credibility to how
> most of us operate in this area (reactive instead of proactive).
> M.
>
> --
> Mark S. Bruhn, CISSP
> -----Original Message-----
> *From:* Robert Myles [mailto:mylesr () OHSU EDU]
> *Sent:* Friday, April 04, 2003 10:23 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] RIAA Moves Against College-Network Fileswapping
>
> There is precedence for the suit against the institution, case was
> settled for 1.5 million last year in the southwest against a company
> that had a policy against download of MP3's and P2P software, new of a
> P2P server on their system that they did not get around to shutting
> down, and were found a fault for not following their own policy.
> Lawsuits always go for the deep pockets!!
>
> Robert Myles, CISSP
> Information Security Officer
> Oregon Health & Science University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.