CIS 5406 - Lecture Notes # 30 - Policy and Politics


                          COMPUTER AND NETWORK
                         SYSTEM  ADMINISTRATION
                         Summer 1996 - Lesson 30

                           Policy and Politics


Types of written policies recommended:

  A. Usage Policy  
     - Users' rights and responsibilities
     
  B. Administrator's Policy 
     - Administrators' rights and responsibilities
     - a contract between the administrators and their bosses 

  C. Resources Policy 
     - who can get an account
     - what resources are available for each class of users
     - what resource quotas are implemented
     - when does an account terminate (normal)
  

Types of written procedures recommended:

   A. Procedure for dealing with abuse of usage policy

   B. Procedures for system maintenance
      - backups
      - software installation
      - workstation installation

   C. Procedures for lab assistants


Legal issues affecting policy decisions

  A. Not much case law yet
     1. many legal questions undecided
     2. you don't want to be a test case

  B. Best advice from USENIX law workshop:

     If you know about a violation of the law and/or policy
     you are obligated to take "reasonable action" to stop
     it.

     1. you don't have much choice about the laws but you
        need to be aware of which ones may affect you

        - Federal Communications Privacy Act
        - Computer Fraud and Abuse Act
        - Florida Statute 8....
        - State and Federal pornography laws
	- Recent Communications Decency Act

     2. policies to read

        - at FSU, the student and faculty handbooks
        - the FSU Computer Usage Policy (at www.fsu.edu)
        - your department's policy

  C. Writing a policy

     1. very difficult 

     2. the problem is that there are conflicting legitimate issues

        - security vs. privacy

          > can you read a user's e-mail if you suspect that
            they have broken security?

        - security vs. convenience

          > increasing the search space for passwords makes
            users upset

          > limiting ftp or login services to certain machines
            is inconvenient

     3. the SA must perform a balancing act

        - on one side you will be blamed if the system gets
          broken into and trashed
        - on the other side you will be derided for making life
          inconvenient if you tighten up security too much
        - on one side you might be fired, sued, or charged if 
          your site turns into a child pornography repository
        - on the other hand you might be fired or sued if you
          invade the privacy of users' files to look for pornography

  D. Discussion of War Stories

     1. Boss's mistake #1 - boss asked sysadmin to edit mailboxes
	to take out mistake email; sysadmin did so, but only
	after getting boss to tell folks the sysadmin was asked
	to trim mailboxes (page 735).

     2. Bill must die! - An unsuspecting student left himsel
        logged in and a malicious user used the open terminal to
	send threatening email to the President - thanks to the
	quick work of the sysadm, the student was exonerated (page 740).