Lecture 17: Policy and Management

Date: November 8, 2013
Homework due: Nov. 20 at 5:00pm
  1. Midterms: average (mean) was 73
  2. Security policy
    1. Set of rules describing what is allowed and what is not allowed
    2. Soundness, completeness, and precision
    3. In practice, developed to meet specific needs of organization
  3. Developing a policy
    1. Who does this, especially in an organization with multiple organizational units
    2. Requirements analysis
    3. Turning them into policy
    4. Communicating the policy to others
  4. Real-life problems
    1. Policy incompleteness
    2. Dynamic vs. static policies
    3. Incorrect or contradictory policy rules
  5. Management
    1. Ensuring that the policy is carried out correctly
  6. Problems
    1. Enforcement mechanisms may not be able to enforce policy exactly
    2. Policy may be enforced poorly
    3. Policy and/or enforcement mechanisms may conflict with work goals
  7. Users and policy
    1. Are users the enemy?
    2. How are exceptions handled?
    3. Fairness in general
  8. First example: UC and UC Davis email policy
  9. Second example: “Big data”, government and corporate interests, peoples’ interests
You can also obtain a PDF version of this. Version of November 7, 2013 at 8:21AM