Our institution is coming into compliance with a data security standard
recommended by our auditors. I suspect all larger institutions of higher
education are doing so as well. But faculty and research staff (among
others) here wish to be exempted from some security policies, in particular
the requirement that passwords be changed regularly, and the imposition of
screen/keyboard lockout after some period of workstation idle time.
I would like to ask my fellow CIO's how their institutions handle this
conundrum: while the policies are no doubt good ones and benefit everyone's
security, there is a reasonable claim that isolation from business
enterprises is sufficient to exempt users from these strictures as long as
compensating controls are in place. I am interested in learning what ways
you have employed to address this concern. I will be happy to assemble and
summarize responses (to me, please, not the list) and report back.
1. Do you accommodate requests for exemptions from your data security
standard for entire classes of users?
2. Does your institution have physically separate networks for business vs.
other functions of the enterprise (not counting students)?
3. If you do not employ physically separated networks, how do you separate
the business functions from other elements of your user community?
4. What is your password policy, and does it apply to all users or only to
Again, please reply to me and I will summarize responses for the list.
Thanks in advance.
Francis C. Lees, Ph. D.
Chief Information Officer
The American Museum of Natural History
Central Park West at 79th Street, New York, NY 10024 www.amnh.org
email: [log in to unmask]; tel: (212) 769-5499; fax: (212) 313-7490
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.