worm policy 1

How to Kill Worms and

Viruses with Policy

Pontifications

Scott Bradner

University Technology Security Officer

Harvard University

sob@harvard.edu

worm policy 2

new title (for me)

continuing (Harvard) responsibilities

but now formalized

“University Technology Security Officer”

“technology” because no management of police

worm policy 3

tasks

helps coordinates ways to ensure compliance to laws

watches out for new laws

coordinates development, implementation &

administration of high-level security policies

helps coordinate security awareness programs

advises CIO

facilitates security & privacy aware culture

monitors security risks

worm policy 4

does he actually do anything himself?

Can he?

worm policy 5

Harvard looks Like

worm policy 6

Reality

HBS

FAS

HMS

GSD

DIV

GSE

JFK

LAW

SPH

RAD

QuickTime™ and a

TIFF (Uncompressed) decompressor

are needed to see this picture.

QuickTime™ and a

TIFF (Uncompressed) decompressor

are needed to see this picture.

CA

QuickTime™ and a

TIFF (Uncompressed) decompressor

are needed to see this picture.

worm policy 7

actually, real reality is worse in technology

QuickTime™ and a

TIFF (Uncompressed) decompressor

are needed to see this picture.

Q u i c k T i m e ™ a n d a

T I F F ( U n c o m p r e s s e d ) d e c o m p r e s s o r

a r e n e e d e d t o s e e t h i s p i c t u r e .

Q u i c k T i m e ™ a n d a

T I F F ( U n c o m p r e s s e d ) d e c o m p r e s s o r

a r e n e e d e d t o s e e t h i s p i c t u r e .

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

research lab

worm policy 8

times are changing

but are not yet changed

“ETOB” no longer
a legit reason

worm policy 9

so what can he do?

since assertions of central control falls on deaf ears

chair University Technology Architecture Group

(UTAG)
“CIOs” from around the University
vets new technology ideas

e.g. PIN system, LDAP directory

discussion of policies

e.g. wireless nets

work with RMAS & OGC
be a visitor

worm policy 10

laws can be used as a stick

FIRPA (Family Educational Rights and Privacy Act)

privacy of educational records and directory
information

HIPPA (Health Insurance Portability and

Accountability Act) privacy of medical records

GLB (Gramm-Leach-Bliley) privacy of financial

information

Database Security Breach Act (CA)

DMCA) Digital Millennium Copyright Act - RIAA

empowerment act

worm policy 11

the university technology environment

no university firewall

that would be silly

some school firewalls

some internal firewalls

good router ACLs (in some places)

mostly switches

reasonable clue in most official IT groups

near software monoculture on non-student desktops

mixed server picture

worm policy 12

the players

ca staff

school staff

undergrad students

grad students

tenants

researchers

faculty

worm policy 13

my task

(until Larry changes the culture)

get the schools to think they came up with

security and privacy efforts

use laws as sticks when enthusiasm fades

get buy-in on guidelines

worm policy 14

too much

posture, pontificate & cajole

too little

“you must”

but I knew what I was getting into

this bed was already on fire

worm policy 15

thanks & have a good lunch