Main Nav

http://campustechnology.com/Articles/2012/08/08/Preparing-for-Back-to-School-BYOD.aspx

Interesting checklist about BYOD and fall Prep

--
Theresa Rowe
Chief Information Officer
Oakland University
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Message from shelf@westernu.edu

Thank you for the article, Theresa.

 

The following paragraph is a bit paradoxical and problematic:

 

"The first step is to determine which devices (i.e., iPad, Android smartphone, PlayStation Xbox, etc.) need to be supported, and if those devices are secure enough to be granted network access. For example, you may decide that Android's open application marketplace poses too much of a security risk to your network, so those devices will not be supported."

 

In a BYOD environment, it would seem, the phrase "...poses too much of a security risk to your network.." as applied, carte blanch, to a platform, is a bit naive or misinformed, at best, and a bit arbitrary and capricious, or even biased, at worst. E.g., independent of platform, many folks root their phones (poorly), which, often, opens the device as wide as Texas to all sorts of “fun” security issues.

 

It would seem much wiser, from both a technical and political perspective, rather than implementing policy based on device platform, that one do it from a policy perspective, based on device and end-user behavior and responsibility, and, from a technical perspective, based on what the device is doing on the network, and react accordingly.

 

Fascinating topic, IMHO.

 

Sincerely,

 

Scott Helf, DO, MSIT

Chief Technology Officer-COMP

Director, Academic Informatics

Assistant Professor

 

Department of Academic Informatics

Office of Academic Affairs

College of Osteopathic Medicine of the Pacific

Western University of Health Sciences

309 East 2nd Street

Pomona, CA  91766

 

909-781-4353

shelf@westernu.edu

 

www.westernu.edu

 

 

 

Good points, Scott.

Doesn't it seem that we are all interested in security, but we are trying to figure out what security actually is and what it looks like in a BYOD environment? 

Similarly, I was asked on campus yesterday "What is compliance? How does compliance related to security?"  I responded that compliance in this context means "conforming with stated requirements."   Regulatory compliance means conforming to laws and regulations, and more and more we deal with IT regulatory compliance, which specifically provides standards related to information technology.     Compliance is a state of being and action, with different steps:
 
1)  Assess the area of compliance and the scope of the compliance area.
2)  Perform a risk assessment.
3)  Develop an action plan based on the outcomes of the risk assessment and assign the action plan.
4)  Execute and document the action plan.

How does compliance relate to security?  Security consists of the technical controls that are implemented as action steps to address risks identified in the risk assessment.  If we go through the risk assessment, identify risks, then we implement technical changes to remove risks.  Those technical changes and implementations represent the security architecture.

So back to BYOD - have we really understood the compliance standards we are trying to achieve?  Probably the same list we continually work with - university assets, FERPA, maybe HIPAA or FERPA.
But how do we do the risk assessment?  Is that where we are stuck?  That gets back to the device list, and what systems are running on the device list.  As I talk myself through this, it seems that the device list / software matrix has gotten so enormous, with a fluid perimeter added, that we are struggling with the risk assessment.

Theresa



I generally agree except I feel the need to point out that (information) security is about other controls besides technical (physical, administrative, regulatory).

Thanks,
Greg

On Aug 8, 2012 4:31 PM, "Theresa Rowe" <rowe@oakland.edu> wrote:
Good points, Scott.

Doesn't it seem that we are all interested in security, but we are trying to figure out what security actually is and what it looks like in a BYOD environment? 

Similarly, I was asked on campus yesterday "What is compliance? How does compliance related to security?"  I responded that compliance in this context means "conforming with stated requirements."   Regulatory compliance means conforming to laws and regulations, and more and more we deal with IT regulatory compliance, which specifically provides standards related to information technology.     Compliance is a state of being and action, with different steps:
 
1)  Assess the area of compliance and the scope of the compliance area.
2)  Perform a risk assessment.
3)  Develop an action plan based on the outcomes of the risk assessment and assign the action plan.
4)  Execute and document the action plan.

How does compliance relate to security?  Security consists of the technical controls that are implemented as action steps to address risks identified in the risk assessment.  If we go through the risk assessment, identify risks, then we implement technical changes to remove risks.  Those technical changes and implementations represent the security architecture.

So back to BYOD - have we really understood the compliance standards we are trying to achieve?  Probably the same list we continually work with - university assets, FERPA, maybe HIPAA or FERPA.
But how do we do the risk assessment?  Is that where we are stuck?  That gets back to the device list, and what systems are running on the device list.  As I talk myself through this, it seems that the device list / software matrix has gotten so enormous, with a fluid perimeter added, that we are struggling with the risk assessment.

Theresa



All:  I haven't had time to closely follow this thread ... but it is of huge interest.  I'm not as concerned about BYOD with faculty staff (I think we're OK there) ... but student BYOD is a huge issue, as most of our older Residence Halls do not have wireless (just wired access), and our Housing Dept. does not want to spring for the bill to install wireless until Halls get updated ... so at one Residence Hall a biennium, by 2040 we should be there.   How are others addressing the plethora of wireless only devices in Residence Halls that do not have wireless?  
 
1) Tough luck!  Go somewhere on campus where there is wireless or move to a newer Hall that has it (this'll get me tarred and feathered).
2) Use your cellular/mobile service only, when in the Residence Halls (that's not popular).   I've had parents tell me ... "Are you going to pay my son's mobile bill if he can't get on wireless with his iPad"? 
3) Forcing Housing to install wireless in all Residential Halls (I do not have that much clout).  Our older halls are concrete and brick.   It's difficult and expensive to install. 
4) Installing Micro-WAPs in individual rooms.
5) Allowing students to install their own Wireless Routers in their rooms (something we currently do not "officially" endorse, but I've told students to do if there's no alternative). 
 
Any other recommendations?

 

 
 
Carmen A. Rahm
Asst. VP for Info. Technology
Central Washington University
400 East University Way
Ellensburg, WA  98926
Direct Phone:          (509) 963-2925
Mobile Phone:         (360) 271-2992
ITS Office Phone:   (509) 963-2333
ITS Homepage:       www.cwu.edu/~its
GO GREEN! This email uses 100% recycled electrons.
No electrons were harmed while composing this message.
>>> Theresa Rowe <rowe@OAKLAND.EDU> 8/8/2012 2:31 PM >>>
Good points, Scott.

Doesn't it seem that we are all interested in security, but we are trying to figure out what security actually is and what it looks like in a BYOD environment?

Similarly, I was asked on campus yesterday "What is compliance? How does compliance related to security?" I responded that compliance in this context means "conforming with stated requirements." Regulatory compliance means conforming to laws and regulations, and more and more we deal with IT regulatory compliance, which specifically provides standards related to information technology. Compliance is a state of being and action, with different steps:

1) Assess the area of compliance and the scope of the compliance area.
2) Perform a risk assessment.
3) Develop an action plan based on the outcomes of the risk assessment and assign the action plan.
4) Execute and document the action plan.

How does compliance relate to security? Security consists of the technical controls that are implemented as action steps to address risks identified in the risk assessment. If we go through the risk assessment, identify risks, then we implement technical changes to remove risks. Those technical changes and implementations represent the security architecture.

So back to BYOD - have we really understood the compliance standards we are trying to achieve? Probably the same list we continually work with - university assets, FERPA, maybe HIPAA or FERPA.
But how do we do the risk assessment? Is that where we are stuck? That gets back to the device list, and what systems are running on the device list. As I talk myself through this, it seems that the device list / software matrix has gotten so enormous, with a fluid perimeter added, that we are struggling with the risk assessment.

Theresa



Message from luikart.7@osu.edu

Another factor to consider, outside of the compliance issue, is the almost exponential growth in demand for wireless bandwidth.  We are using a formula for capacity planning that we call "three devices per seat."  That is, expect students and many employees to bring three devices (smartphone, laptop, tablet) with them wherever they go that all want to connect to wireless networks at the same time.

This trend is easy to validate by visiting any of our student gathering areas where wireless coverage is present.  If you don't plan for three devices per seat, you may find that many wireless network segments will become saturated and unresponsive when students are present en masse.

Concurrent with the 3 devices trend, our friendly cellular carriers are moving from "unlimited" data plans to "shared" data plans, which will drive students away from 3G/4G connections to wireless.  It is a bit early to tell how much this will affect demand for bandwidth, but we expect to see some changes as early as the start of fall semester.

This may not be relevant to others, but our capacity forecasts predict an increase in wireless bandwidth demand between 24% to 40% over current levels starting this fall.  Yikes!

Best Regards,
Rob
  
Robert B. Luikart
Chief Information Officer
OSU College of Food, Agricultural, and Environmental Sciences
216 Kottman Hall
2021 Coffey Road
Columbus, OH  43210-1044
Office: 614.292.4774
http://cfaes.osu.edu/


From: Theresa Rowe <rowe@OAKLAND.EDU>
Reply-To: The EDUCAUSE CIO Constituent Group Listserv <CIO@listserv.educause.edu>
Date: Wednesday, August 8, 2012 5:31 PM
To: "CIO@listserv.educause.edu" <CIO@listserv.educause.edu>
Subject: Re: [CIO] BYOD from a network analyst view
Resent-From: <luikart@ag.ohio-state.edu>
Resent-Date: Wednesday, August 8, 2012 5:31 PM

Good points, Scott.

Doesn't it seem that we are all interested in security, but we are trying to figure out what security actually is and what it looks like in a BYOD environment? 

Similarly, I was asked on campus yesterday "What is compliance? How does compliance related to security?"  I responded that compliance in this context means "conforming with stated requirements."   Regulatory compliance means conforming to laws and regulations, and more and more we deal with IT regulatory compliance, which specifically provides standards related to information technology.     Compliance is a state of being and action, with different steps:
 
1)  Assess the area of compliance and the scope of the compliance area.
2)  Perform a risk assessment.
3)  Develop an action plan based on the outcomes of the risk assessment and assign the action plan.
4)  Execute and document the action plan.

How does compliance relate to security?  Security consists of the technical controls that are implemented as action steps to address risks identified in the risk assessment.  If we go through the risk assessment, identify risks, then we implement technical changes to remove risks.  Those technical changes and implementations represent the security architecture.

So back to BYOD - have we really understood the compliance standards we are trying to achieve?  Probably the same list we continually work with - university assets, FERPA, maybe HIPAA or FERPA.
But how do we do the risk assessment?  Is that where we are stuck?  That gets back to the device list, and what systems are running on the device list.  As I talk myself through this, it seems that the device list / software matrix has gotten so enormous, with a fluid perimeter added, that we are struggling with the risk assessment.

Theresa



Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.