« RSSifying script? | Home | Superarchives »

July 12, 2002

Should the fed govt force security on universities?

One of the security people at Georgia Tech mentioned that the Federal Government was considering writing some words about computer security into the rules governing Federal grants. I've now found some concrete information about that.. Here's a powerpoint on the topic by Bob Mahoney of MIT from 1/2002; he also points to two documents with the actual text of the proposed changes: the Safe Computing Environment Requirements, and an appendix to those requirements.

Here's a summary of the high points taken from Bob's presentation:

  • Grantees are required to certify that they will provide a "safe computing environment".
  • SCE refers to both initial config and ongoing maintenance of covered systems.
  • Changes to SC environment must be reported.
  • Requires statements of appropriate use to be given to all employees.
  • Requires prompt notifications of "significant events".
  • Specifies actions to be taken for security events