Educause Security Discussion mailing list archives
Re: Outside Entities Computers
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Fri, 14 Dec 2007 09:23:50 -0700
Any research school would be hard-pressed to prevent non-university owned systems from being on their networks. To begin with, computers purchased using many forms of research funding belong to the researcher, not the university. Additionally, there are lots of collaborations that involve professors from other institutions or colleagues from research agencies. In non-research contexts, I'm sure many (most?) institutions have partnerships or relationships with external organizations that may have some offices on their campus (professional organizations, government offices, contractors, vendors, etc). Granted, if one has a written contract as part of this relationship, adherence to campus security policies can be included in that contract. I'd consider ROTC in this group as a federal government office. Naturally, there are additional types of "outside" computers which require network access that might be placed on a more limited network like students, conference attendees, guests, etc. Since this requirement is pretty universal in higher ed (perhaps with the exception of the online-only institutions), I'll assume this isn't part of the question. The key, IMO, is that your security policies are written in relation to systems connected to your networks, rather than institutionally owned systems. Additionally, some level of network access control that requires a university employee taking responsibility for a system (by "registering" it for network access) or the user (by sponsoring him/her for a network access account) would tie any computer on the network to an individual who should know campus policies. As mentioned, relationships with formal agreements in place should include references to obeying university policies in general and perhaps specific mention of security policies. Brad Judy IT Security Office University of Colorado at Boulder
-----Original Message----- From: Lovaas,Steven [mailto:Steven.Lovaas () COLOSTATE EDU] Sent: Friday, December 14, 2007 8:51 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Outside Entities Computers For those of you that run centrally administered networks, it may be easy enough to just say "if it's not centrally managed it doesn't get full access." For Universities with more distributed IT structures, this is harder. Short term guest access is one thing, but there are any number of classes of devices whose users are going to require ongoing access to the main network, and whose OS and apps are not going to be centrally managed. ROTC is a case in point. Funds and procurement rules are generally federal, and they basically do their own thing. But because they're also working with students they need access to all the things that other departments need. This would be a great case for defining a separate security zone with a firewall and some sort of remote application access (citrix or SSL vpn or something of that sort). There's a more general question, though, that Buz brings up. Do you allow non-University clients at all? If so, how do you deal with them? Steve ============================================ Steven Lovaas, MSIA, CISSP IT Security Manager Academic Computing & Network Services Colorado State University 970-297-3707 Steven.Lovaas () ColoState EDU ============================================ -----Original Message----- From: Buz Dale [mailto:buz.dale () USG EDU] Sent: Friday, December 14, 2007 8:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Outside Entities Computers I would think if the ROTC brought up a machine on campus it would be be a federal (DOD) Gov't machine. As such, it should have very strict requirements. It's possible the staff in your local ROTC are not aware of this. Also, do you have a connection policy about machines connecting to your network? A special VLAN or Lan they can be placed on outside of your firewall and considered hostile? Luck, Buz On 12/14/07, jason rinne <jasonrinne () hotmail com> wrote:The ROTC department here on campus has brought in two of their own computers to use in their office. My concern is security(anti virus,windows updates) on the computer itself and identifying who waslogged in andwhen in case an issue ever came up. Would anyone like to share their thoughts or policies on outside entities (such as ROTC) bringing in their own computer for use in their office on campus? Jason Rinne IT Department Missouri Valley College Marshall, MO www.moval.edu ________________________________ Don't get caught with egg on your face. Play Chicktionary!Check it out! -- Buz Dale buz.dale () usg edu IT Security Specialist 1-888-875-3697 (In GA) 1-706-583-2005 Office of Information and Instructional Technology University System of Georgia GMT -5:00
Current thread:
- Outside Entities Computers jason rinne (Dec 14)
- <Possible follow-ups>
- Re: Outside Entities Computers HALL, NATHANIEL D. (Dec 14)
- Re: Outside Entities Computers Buz Dale (Dec 14)
- Re: Outside Entities Computers Lovaas,Steven (Dec 14)
- Re: Outside Entities Computers Brad Judy (Dec 14)
- Re: Outside Entities Computers Adam Stone (Dec 14)
- Re: Outside Entities Computers Torres, Juan (Dec 14)
- Re: Outside Entities Computers Valdis Kletnieks (Dec 14)