Tuesday, January 20, 2009

the news story everybody is talking about today

The CSU is drafting information security and system use policy for all the 23 campuses, and today the academic senate of CSU Stanislaus (a.k.a. the ork-o-demic senate at Cow State Santa Claus) discussed the draft policy. I would characterize the senate's mood as unimpressed.

I was vaguely insulted by the draft policy, as I scanned through it, because it seemed to contemplate, if not actually assume, that the main info security issue the CSU has is that users (i.e., faculty and staff) treat information access like a personal playground for nefarious and illegal deeds. I hadn't put it together before the meeting, when one of my colleagues pointed out that the basic flaw in the draft policy is its failure to address universities as though teaching, research, and scholarship happened there. In the corporate environment, he noted, the assumption is that the corporation owns all information users may have some access to. In a university environment, that's not really the case, especially when faculty enjoy (as we still do, to a limited extent) academic freedom.

More to the point, it's another example of the way university administrations look at the life and work of universities: as problems, mainly generated by faculty (when not generated by students), that can generate chaos and create civil liability. As another colleague put it, sotto voce, during the senate meeting, the CSU is looking for one pedophile in San Bernardino, and we're all going to pay for it. (This is not to suggest that there is a pedophile working for or attending CSU San Bernardino. My colleague was making what is usually called a joke.)

Local experience suggests something quite different. The main problems with information security we've had have involved accidental release and insecurity of personal data. About five years ago, while changing servers, employee data were for several hours left on an unsecured server. About three years ago, our food-service concessionaire used unsecured internet access for credit and debit card transactions.

What the new CSU info security policy seems to aim for is to identify and exploit every avenue for limiting the university's potential liability.

Our mission? Eh.


Bobo the Wandering Pallbearer said...

Cool, I can comment on the last post by way of commenting on this one.

Well, how can they possibly expect to keep you in a state of terrified migrant servitude if they don't first dillute your access to information and restrict your civil liberties? It's Facism 101, you stoopie.

Doc Nagel said...

I get that. Geez! I just wish they had some subtlety or panache about it.

Lulu--Back in Town said...

You neglect to mention the time a year or so ago that they made all of your personal info googlable for a while, too, with another insecure server.

Also, how there were computers with student information on them stolen a few years before that.

I'm getting a little tired of their nice little letters about how we should be getting credit checks what with how many times they've let our info out.

Doc Nagel said...

Well, yeah, they do have a kind of panache about leaving information unsecured. Gusto, you might call it.