Larry Dean Farrell

INLS 187

Security Policy Analysis

 

 

Reviewed policies:

Acceptable Use Policy.  Duke University.  22 Oct. 2004 <http://www.duke.edu/websrv/policy.html

 

            Group E-mail Policy.  June 2001.  Office of Information Technology, Duke University. 22 Oct.2004 <http://www.oit.duke.edu/group-email/

 

            Computing and Electronic Communications at Duke University:  Security & Privacy.  May 1997.  Office of Information Technology, Duke University.  22 Oct. 2004

<http://www.oit.duke.edu/oit/policy/ITACPolicy.html/

 

            Duke University Campus Security Incident Procedure.  Oct. 2002.  Office of Information Technology, Duke University.  22 Oct. 2004

<http://www.oit.duke.edu/security/policy/incident.html/

 

 

 

 

Policy Summery:

 

I looked at a number of computing policies maintained by Duke University.  Since each of them in and of themselves was a fairly small document I have decided to agglomerate them and discuss them as a whole rather than focusing in on any one particular policy. The specific policies I looked at were the:  Acceptable Use Policy, the Group E-mail Policy, the Security & Privacy Policy, and the Incident Response Policy. 

Duke University has a variety of computing policies, each dealing with a different contingencies and aspects of computing.  The first policy I looked at was a very short document on acceptable web page usage.  The policy stated that users have access to putting up web pages free of charge, but that user accounts that receive more than 10,000 hits a day will be asked to remove the high traffic pages.

The second policy I looked at concerned group email policies.  It detailed what constituted a group email, how to secure approval to send one, and who to contact with approval requests.  It also discussed other matters encompassed the policy, such as abiding by university and applicable state and federal regulations.  It also recommended the use of group aliases so that users receiving the email would remain as anonymous as possible.

The third policy I looked at gave a brief introduction to what users could expect in the way of privacy of their computer files.  Basically Duke says they’re committed to privacy and free speech, but that it is sometimes necessary due to relevant laws and contractual obligations for the university to disclose user information.  They therefore refuse to ensure that a user’s files and email will remain private.  The policy goes on to state that though the university does not restrict material content it will remove material deemed to be in violation of applicable laws or university policies.

The final policy I looked at was the computer intrusion reporting policy.  Duke, in this document distinguishes between a compromised and a vulnerable computer.  A compromised computer is one that has been broken into and the unauthorized remote user is executing programs or commands.  A vulnerable computer is one that could allow unauthorized users remote access to its files.  The policy then goes on to explain intrusion levels.  A category one incident is one in which a node is actively causing trouble on the network or one in which confidential information is being transferred by an unauthorized user.  A category two incident is a compromised computer that is not actively engaged in mischief, and a category three incident as a computer that has been identified as being vulnerable to attack.

Duke’s response to all three categories is to contact the local administrator.  If there is no response from said administrator within 15 minutes the computer will be yanked off the network if it is a category one incident.  This period can be lengthened if the computer is deemed mission critical or the severity of the intrusion isn’t thought to be great, but such a computer will not be left on the network for longer than five days.  A category two incident will result in the computer being yanked within 2 days if the systems administrator does not respond or within five days if the administrator responds but has not corrected the problem.  A category three incident will be fixed at the system administrator sees fit, and will not be yanked off the network.

Policy Analysis:

            The criteria I plan to evaluate each policy on are:  the clarity of each policy; the due process specified by each policy; any loopholes, and the overall adequacy of each policy.

            The Acceptable Use Policy, which concerns the posting of WebPages, is a particularly short policy.  The language is relatively clear specifying that web postings will be made available free of charge.  It further goes on to specify that user's who maintain accounts that receive over 10,000 hits will be asked to remove their high traffic sites.  The policy says little about due process it merely states that users will be asked to remove highly trafficked sites from their public_html folder, though the policy gives no guidelines about what will happen if a user refuses to remove a site, or anything about notifying the user if their account nears 10,000 hits.  I see no particular loopholes in the policy, though as a whole the policy fails to make certain things explicit such as who is allowed to maintain an account, though it is assumed that only those in the Duke community would be eligible.  Secondly it says nothing about what can be posted.  Is it acceptable for a user to maintain a porn page, for example?  Nor is it in any way clear what will happen to a user who refuses to take down a heavily trafficked site, though in its defense the policy does refer users to whole web of computing policies at Duke for further information, though they might want to send out a series of warning emails to users approaching 10,000 hits.

            The second policy under review is the Group E-mail Policy.  This policy is far more encompassing than the previous policy.  It clearly specifies what constitutes a group email and who needs to be contacted if one wishes to send a group email.  It also gives a clear list of guidelines to follow in setting up and sending your email, as well as the consequences to user's who violate the policy, though it does not refer them to a specific policy, nor to what will happen if the email policy is violated, leaving it somewhat unclear as to what due process users have if they are accused of a violation.  The one loophole I can see with this policy is that in the end it probably does little to stop group emails as it applies only to users at Duke, and most "group emails" tend to be sent by spammers.  Overall, as regards the Duke community the policy is probably effective in reducing the amount of unwanted internally generated mail, though the policy could be clearer on exactly what will happen to users who violate the policy.

            The third policy under review is Security & Privacy Policy.  This policy though quite short tends to be quite clear.  It comes right out and says that Duke does not guarantee the privacy of electronic folders or communications.  It also clearly states that postings not in accordance with University guidelines or state and federal laws will be subject to removal and the users who posted them can be disallowed from accessing the university network.  It is also relatively clear as regards to due process stating that each case will be handled using the standard university policy for such matters, though what rights the accused has, or where they can be found, is not specified.  I see no particular loopholes to this policy.  Overall, for such a concise document it succinctly spells out the specified policy.

            The last policy under review is the Computer Security Incident Report.  This policy clearly specifies Duke's response to computer intrusion, differentiating between compromised and vulnerable computers, and dividing incidents into different levels of severity, clearly spelling out what will happen at each incident level.  It also explains who will be contacted in the event of an incident (the local systems administrator) and what will happen if the contactee does not take appropriate action.  It also allows for exceptions to be made at the IT Security Office's discretion and goes on to say what the criteria are for making an exception to the policy guidelines.  The policy gives short shrift to due process such as how to bring a computer back onto the network, or what might happen, personally, to a systems administrator who fails to respond to IT security warnings.  Overall, I can see no real loopholes with this policy.  Overall, it is a solid policy, clearly spelling out what will happen to a computer during an intrusion, though it gives no guidelines as to what penalties negligent systems administrators might face other than having their computer taken off the network, therefore they might want to flesh it out a bit, such as perhaps adding reprimand levels for reclacitrent systems administrators.

Conclusion:

            In conclusion Duke's IT policies seem rather uneven with several of them well done, while others seem rather vague on key points, though in Duke's defense their IT policy as an organic whole was not reviewed.  Hopefully, they form a coherent whole that serves not only the interests of the policy makers, but the Duke community as well.