The CSU is drafting information security and system use policy for all the 23 campuses, and today the academic senate of CSU Stanislaus (a.k.a. the ork-o-demic senate at Cow State Santa Claus) discussed the draft policy. I would characterize the senate's mood as unimpressed.
I was vaguely insulted by the draft policy, as I scanned through it, because it seemed to contemplate, if not actually assume, that the main info security issue the CSU has is that users (i.e., faculty and staff) treat information access like a personal playground for nefarious and illegal deeds. I hadn't put it together before the meeting, when one of my colleagues pointed out that the basic flaw in the draft policy is its failure to address universities as though teaching, research, and scholarship happened there. In the corporate environment, he noted, the assumption is that the corporation owns all information users may have some access to. In a university environment, that's not really the case, especially when faculty enjoy (as we still do, to a limited extent) academic freedom.
More to the point, it's another example of the way university administrations look at the life and work of universities: as problems, mainly generated by faculty (when not generated by students), that can generate chaos and create civil liability. As another colleague put it, sotto voce, during the senate meeting, the CSU is looking for one pedophile in San Bernardino, and we're all going to pay for it. (This is not to suggest that there is a pedophile working for or attending CSU San Bernardino. My colleague was making what is usually called a joke.)
Local experience suggests something quite different. The main problems with information security we've had have involved accidental release and insecurity of personal data. About five years ago, while changing servers, employee data were for several hours left on an unsecured server. About three years ago, our food-service concessionaire used unsecured internet access for credit and debit card transactions.
What the new CSU info security policy seems to aim for is to identify and exploit every avenue for limiting the university's potential liability.
Our mission? Eh.