Academic Technology and Networks, also known as ATN, has a "Computing and Networking Security Policy" which it has displayed on UNC-Chapel Hill's web page, specifically http://help.unc.edu/?id=118. Its main parts are divided up into nine or ten paragraphs, starting with the statement of its policy and then the reasons for ATN's implementation of that policy. According to ATN, the security of information on campus is not easy to maintain, nor is it cheap to maintain; thus, in order to maintain it, ATN says "In certain situations the price may involve money for special hardware or software" and other times "
costs are measured in user inconvenience and frustration, reduced productivity, and suppression of creativity." The policy continues on to mention that users are held responsible for knowing ATN's rules, as well as upholding confidentiality. A general statement reveals that data will be backed up on a consistent and continual basis, and then the policy's page ends with some disclaimers and a point of contact in case any user needs to report a problem or has a question for which he or she needs an answer.
In order to accurately and fairly analyze this policy, using the following defined criterion helps to draw out the policy's characteristics, be they strong or weak:
1) Stakeholders: users or other people or institutions involved in and therefore affected by this policy in one way or another.
2)
Coverage: how far the policy reaches, rule-wise (the people, places and things affected and why they're affected).
3)
Adequacy: Does the policy adequately describe all its effects and who will be affected, as well as where more information can be found on the subjects of which it speaks?
4)
Organization/Clarity of Language - Is the policy well-written and organized, to where any user can read it and comprehend its value and necessity?
The policy in its current form (as of November 4, 2004) has several strengths, as well as several weaknesses according to the criterion above. Its stakeholders, or those affected by the policy, according to the policy, are much more than just users on the UNC-Chapel Hill campus; they are spread across the nation. This gives the policy some potential strength, in that the policy must exist because it describes the issues involved with upholding the safety of more than just a local group of students. The policy's other main strength is that it covers its bases well. It shows that its authors recognize how many people and organizations could be affected by the information coming to and from UNC-Chapel Hill, by saying "
ATN systems are part of an international network of computers, and consequently must protect other sites from the misuse of our resources to attack their systems." Its coverage continues on, when the policy describes the potential threats that can come to bear, what the protection from those threats might cost (financially or socially) and perhaps providing a slight disclaimer when it says that "
ATN policies are intended to minimize the impact of attacks from both inside and outside, and from automated attacks as well as human directed ones" or that attacks cannot be stopped completely. Instead, and more realistically, ATN recognizes that fact and gives a policy that will allow them room if an attack ever causes damage on campus.
Problems are found, however, when we analyze this policy by asking whether or not it is organized. The policy has many organization problems: It may be from the authors trying to make the form look more official, however the form would be less confusing if there was a bigger section on Disclaimers; the last sentence of parts II and IV of the policy belong more as disclaimers than a necessary part of their respective specific categories. In fact, part II of the policy in its entirety seems more of a disclaimer; i.e. part two is unnecessary as its own division, and should be moved under disclaimers for better clarity.
Whether or not this policy is adequate is debateable. It certainly seems adequate when we read the policy at a higher or more general level, especially with the seemingly nicely-done divisions. The policy does have its strengths as mentioned, and it does show an awareness of the impact of the information circulating to, within, and from this campus. However, we must also question how much time was put into this form, as it clearly needs the organizational changes stated in the previous paragraph. Also, the policy speaks in a more generalized manner, mentioning things such as " . Furthermore, there are questions that are unanswered in this policy, such as: How does ATN make sure every user knows what rights they have, and that each user agrees to their policies? Part V of the policy is labeled "User Rights and Responsibilities" but never specifically states where users can get more information on their rights, nor how ATN gets everyone to agree. Part VI mentions the fact that data will be backed up according to the schedules set by respective machine/system administrators... what it does not mention is how to get those schedules, nor which systems are always backed up and which are not. These details are important for Information Security, at least when outlining a policy, as users must be informed of more specific information. Thus, those missing details should be furnished. Furthermore, though it is perhaps not as important to information security itself, another detail is lacking on this page: a proper title. It should give the user an idea of what he or she is about to read, something such as "Computing and Network Policy for UNC-CH."
All information provided from the following source, Cited in MLA Style:
ITS Security. Help.unc.edu. 24 Aug. 2004. 04 Nov. 2004
<http://help.unc.edu/?id=118>.