<<< Date Index >>>     <<< Thread Index >>>

[IP] more on Hacker Hits California University Computer





Begin forwarded message:

From: Joseph Lorenzo Hall <joehall@xxxxxxxxx>
Date: October 20, 2004 5:29:34 PM EDT
To: Dave Farber <dave@xxxxxxxxxx>, Ross Stapleton-Gray <ross@xxxxxxxxxxxxxxxxxx>
Subject: Re: [IP] more on Hacker Hits California University Computer
Reply-To: joehall@xxxxxxxxx

(this is probably interesting enough for IP!)

On Wed, 20 Oct 2004 16:11:37 -0400, David Farber <dave@xxxxxxxxxx> wrote:
I was rather disappointed by how UC chose to implement policy
amendments to respond to the changes in the law; so far as I saw they
consisted largely of putting a patch on the existing security policy,
when a more appropriate response, from my perspective, should have been
to salvage an existing *records* policy that had seen years and years
of neglect.

Let me (unofficially) respond to this being the grad. student on the
leading technology committee on campus - the eBerkeley Steering
Committee (eBSC)[1].  There has been much movement in the policy space
on campus with respect to security (as Mr. Stapleton-Gray notes) and
data stewardship (which Mr. Stapleton-Gray may not be aware of).
Specifically, a policy - the Data Management and Use Policy[2] - was
almost passed by our committee last year after two years in
development; this policy would have mandated various steps in data
stewardship across campus (data dictionaries, data stewardship roles,
etc.).

However, a few faculty members, other graduate students and myself saw
the policy in that state as highly flawed (no interpretive
documentation, statements about "owning" all data on campus across all
media, etc.) partially because it had "stewed" amongst a small group
of policymakers for two years.

So, what happened to this policy and the process?  We (the eBSC)
decided to send it through the faculty senate for vetting.  As you can
imagine, sending a policy through the faculty senate is a
time-consuming process but we are confident that a lot of the aspects
of the policy that were particularly bad and short-sighted will be
ironed out by the UC Berkeley faculty.

Would this policy itself had made a difference? That's hard to say.
We'll have to wait for more information on the nature of the attack.
This is something that could happen (and has happened) to other
universities... and getting PIs from many many disciplinary
backgrounds to understand that they can't, for example, take large
amounts of sensitive data home on their laptop, is not easy.

[1] http://ebsc.berkeley.edu/
[2] http://datasteward.berkeley.edu/

Joe

--
Joseph Lorenzo Hall
UC Berkeley, SIMS PhD Student
http://pobox.com/~joehall/
blog: http://pobox.com/~joehall/nqb2/

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/