[ale] shared research server help

Jerald Sheets questy at gmail.com
Thu Oct 5 10:37:04 EDT 2017


> On Oct 5, 2017, at 9:27 AM, Todor Fassl <fassl.tod at gmail.com> wrote:
> 
> This list has really come through for me again just with ideas I can bounce around. I'll have to tread lightly though. About a year ago, I configured the machines in our shared labs to log someone off after 15 minutes of inactivity. Believe it or not, that was controversial. Not with the faculty but with the students using the labs. It was an easy win for me but some of the students went to the faculty with complaints. Wait, you're actually defending your right to walk away from a workstation in a public place still logged in? In a way that's not such a bad thing. This is a university and the students should run the place. But they need a referee.
> 


TL;DR: I disagree.  Follow compliance guidelines. People could go to jail in a governmental (college) setting. The laws are the referee, not us.



I respectfully disagree.

Let me flex my ego muscle for a moment:  “Jerald Sheets, Lead Security Architect - Infrastructure Hardening - PayPal, Inc” at your service.


Any university is bound by common rules and guidelines to adhere to “generally accepted security standards” in regards to systems connected to the university infrastructure for the purposes of satisfying protection of PII of students, faculty, and staff.  This is also governed by FRPA and can include jail time under the right circumstances…  Just saying.

Regardless of physical, network, and other similar security controls in place, host security demands that TMOUT be on, enabled, and unable to be circumvented.




HIPAA:

A covered entity should activate a password-protected screensaver that automatically prevents unauthorized users from viewing or accessing electronic protected health information from unattended electronic information system devices.

SOX:

User session timeout is defined and in place for authorized users Audit and review user privil

ITIL:

ISO/IEC 27002
11.5.5 Session time-out

PCI:

8.5.15 Idle Session Timeout threshold

Disconnect Idle session is less than or equal to 15 minutes



These are the reasonings I use with CISOs, CIOs and CEOs to explain to them that just because Devs are yelling about various security controls does not mean they get to have what they want.

“You could go to jail over this one” has been uttered more than once by me, and I count it a great responsibility on my part as a Security guy first and a Systems guy second to ensure that the law and various compliance guidelines are followed.

If I have people continuing to demand non-compliance, I work up a business case for them to sign their name to “when the auditors come around on this, they’ll want to know who’s responsible and who should be prosecuted in the event of data loss or breach”.  That usually gets their attention and gets them to think twice about these things.

The balance is ALWAYS security versus usability, and the security guidelines we are both legally and honor-bound to follow are the “referee” here.  You aren’t.  I implement what’s given to me within the confines of the law, and I do not step outside of it.  No student, teacher, full or associate professor, department chair has the authority to overrule these guidelines.

The board or president of your university does, and they are ultimately responsible (as any CEO would be) for what goes on both physically and virtually on their campus.


—j


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20171005/9dc01ffe/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: Message signed with OpenPGP
URL: <http://mail.ale.org/pipermail/ale/attachments/20171005/9dc01ffe/attachment.sig>


More information about the Ale mailing list