Re: CIPA Children Internet Protection Act

[Ozzie Paez <ozpaez () SPRYNET COM>]

Sorry Karla and thank you for your question - 

I posted the entry a few days after HP announced that it was ending
production of its WebOS products (tablet, phones, etc.) and looking to sell
or spin off its consumer computer business.  A few days later the company
tried to clarify what it was doing and since then continued producing and
selling its Tablet computer, while sticking to its decision.  I read a range
of comments and watched the market's reaction (and have continued to do so),
which were not positive.  Dell, for instance, quickly established a program
to help HP customers ditch HP for its own solutions, which brought more
attention in the media.  The point of the blog is that when something
unexpected happens that is likely to impact stakeholders and the media,
messaging is critical to prevent losing the opportunity to influence how
your story is presented and perceived.  This applies equally well to
situations such as kids/parents reporting access to inappropriate content.
So, any story that is likely to cause the media, stakeholders, etc. to ask
"Who would have thought?" is a good candidate for extra careful management
of your messaging.
Ozzie Paez
SSE/SAIC
www.ozziepaezdecisions.com 
303-332-5363

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Karla Parker
Sent: Tuesday, September 13, 2011 11:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] CIPA Children Internet Protection Act

Ozzie, What announcement from HP are you referring to? Thanks, Karla

-----Original Message-----
From: Ozzie Paez <ozpaez () SPRYNET COM>
Sent: Tuesday, September 13, 2011 9:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] CIPA Children Internet Protection Act

Dear Bill,
This is a really tough topic because so much of it is still being litigated
and case law is anything but definitive.  Here are a few thoughts and
recommendations that might help you, the kids and your school.  

1.  Managing the network to filter offending sites is a great start and
every institution providing these services should do this,

2.  Internally produced content, which is not filtered by boundary systems,
create significant risks, particularly when users can take devices with
them.  For example, it is illegal for any organization or person to have
sexually explicit material involving minors - Mere possession is enough.
This is still being litigated, but as of now, that is a risk.  Such content
can be injected from behind the boundary systems, so it is a real issue.

3.  You need clear policies, procedures and agreements on connectivity
outside your network if students will be able to connect through their home
or other network.  I can tell you from experience that configuring devices
like laptops to filter content when connected to different networks outside
of your control can be tricky and a determined user with plenty of time on
his or her hands (teens come to mind) may well be able to get around
controls.  So, assume that one or more of them will get around those
controls, then put in place processes for dealing with the situation.
Messaging is critical - If you lose control of your message and it gets into
the news, getting caught up is almost impossible.  Just consider what
happened to HP after their latest announcement.  I put an analysis piece on
my blog that deals with that situation and may offer some insights for you.
You can get it freely (no ads or banners...) at
http://ozziepaezdecisions.com/2011/08/24/who-would-have-thought/ .

4.  You need to protect yourself and your organization from a potential CIPA
violation.  One recommendation that I strongly suggest is for you/your
organization to join Infragard.  It is a Department of Justice/FBI - Private
Sector organization that can be of great help in preventing and responding
to a CIPA violation.  Get to know the FBI points of contact.  They can
really help should a violation take place and put you and your organization
in a totally different light.

5.  Be very careful if the students post information, documents, etc. and
they get reviewed, tweaked and approved by your organization.  There are
protection for web site operators, but many of those protections evaporate
if those providing oversight are shown to have "materially altered content"
before it is approved.  If you materially change content, then you own the
content; and there can be spillover effects as there are already case law to
that effect.  So, you need to think your way carefully if any of the
monitoring will be done by your organization.

There is much more than I can address in an e-mail, but this is a really
tough area.  A good strategy is to start by assuming "worse case" and
recovery; then work your way back.

Good Luck!
Ozzie Paez
SSE/SAIC
www.ozziepaezdecisions.com 
303-332-5363  


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of William C. Moore
Sent: Monday, September 12, 2011 6:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] CIPA Children Internet Protection Act

I searched the archives and couldn't believe I didn't get a hit on this
subject.  I am looking for input from a college or university that
facilitates K12 classes on their campus.  To put my questions in context my
university has taken a leadership role and management assistance for a
charter school adjacent to our campus.  This includes assuming management
and control of the network infrastructure (all traffic is through our
network).

My questions begin with are you compliant with CIPA (Children Internet
Protection Act) and if so are you only targeting compliance for minors on
your network or a certain segment of your network.

A related question is do you continue CIPA oversight and management on
portable institutional devices when they leave your network?  For example
controls on a laptop issued to a student to carry home.


Any list or direct reply comments are most welcomed and thanks in advance.



Bill



William C. Moore II, CISSP, MEd, MLIS
Chief Information Security Officer
Division of Information Technology
Valdosta State University
Valdosta, GA 31698
Phone:(229)333-5974
Fax:  (229)245-4349
=