Re: Outside Entities Computers

[Brad Judy <Brad.Judy () COLORADO EDU>]

Any research school would be hard-pressed to prevent non-university
owned systems from being on their networks.  To begin with, computers
purchased using many forms of research funding belong to the researcher,
not the university.  Additionally, there are lots of collaborations that
involve professors from other institutions or colleagues from research
agencies.  

In non-research contexts, I'm sure many (most?) institutions have
partnerships or relationships with external organizations that may have
some offices on their campus (professional organizations, government
offices, contractors, vendors, etc).  Granted, if one has a written
contract as part of this relationship, adherence to campus security
policies can be included in that contract.  I'd consider ROTC in this
group as a federal government office.

Naturally, there are additional types of "outside" computers which
require network access that might be placed on a more limited network
like students, conference attendees, guests, etc.  Since this
requirement is pretty universal in higher ed (perhaps with the exception
of the online-only institutions), I'll assume this isn't part of the
question.

The key, IMO, is that your security policies are written in relation to
systems connected to your networks, rather than institutionally owned
systems.  Additionally, some level of network access control that
requires a university employee taking responsibility for a system (by
"registering" it for network access) or the user (by sponsoring him/her
for a network access account) would tie any computer on the network to
an individual who should know campus policies.   As mentioned,
relationships with formal agreements in place should include references
to obeying university policies in general and perhaps specific mention
of security policies.


Brad Judy

IT Security Office
University of Colorado at Boulder

> -----Original Message-----
> From: Lovaas,Steven [mailto:Steven.Lovaas () COLOSTATE EDU] 
> Sent: Friday, December 14, 2007 8:51 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Outside Entities Computers
>
> For those of you that run centrally administered networks, it 
> may be easy enough to just say "if it's not centrally managed 
> it doesn't get full access." For Universities with more 
> distributed IT structures, this is harder. Short term guest 
> access is one thing, but there are any number of classes of 
> devices whose users are going to require ongoing access to 
> the main network, and whose OS and apps are not going to be 
> centrally managed. ROTC is a case in point. Funds and 
> procurement rules are generally federal, and they basically 
> do their own thing. But because they're also working with 
> students they need access to all the things that other 
> departments need.
>
> This would be a great case for defining a separate security 
> zone with a firewall and some sort of remote application 
> access (citrix or SSL vpn or something of that sort).
>
> There's a more general question, though, that Buz brings up. 
> Do you allow non-University clients at all? If so, how do you 
> deal with them?
>
> Steve
>
> ============================================
> Steven Lovaas, MSIA, CISSP
> IT Security Manager
> Academic Computing & Network Services
> Colorado State University
> 970-297-3707
> Steven.Lovaas () ColoState EDU
> ============================================
>
>
> -----Original Message-----
> From: Buz Dale [mailto:buz.dale () USG EDU]
> Sent: Friday, December 14, 2007 8:30 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Outside Entities Computers
>
> I would think if the ROTC brought up a machine on campus it 
> would be be a federal (DOD) Gov't machine.  As such, it 
> should have very strict requirements.  It's possible the 
> staff in your local ROTC are not aware of this.
>
> Also, do you have a connection policy about machines 
> connecting to your network? A special VLAN or Lan they can be 
> placed on outside of your firewall and considered hostile?
>
> Luck,
> Buz
>
> On 12/14/07, jason rinne <jasonrinne () hotmail com> wrote:
> > The ROTC department here on campus has brought in two of their own 
> > computers to use in their office.  My concern is security 
> (anti virus, 
> > windows
> > updates) on the computer itself and identifying who was 
> logged in and 
> > when in case an issue ever came up.
> >
> > Would anyone like to share their thoughts or policies on outside 
> > entities (such as ROTC) bringing in their own computer for use in 
> > their office on campus?
> >
> >
> >
> >
> > Jason Rinne
> > IT Department
> > Missouri Valley College
> > Marshall, MO
> > www.moval.edu
> > ________________________________
> > Don't get caught with egg on your face. Play Chicktionary! 
> Check it out!
>
>
> --
> Buz Dale                                buz.dale () usg edu
> IT Security Specialist              1-888-875-3697 (In GA)
> 1-706-583-2005
> Office of Information and Instructional Technology University 
> System of Georgia GMT -5:00