University of Cincinnati

Common Sense Requires No Policy

by Kevin McLaughlin

People often ask me if we should have a policy that requires UC community members to do “X.” Often the person is asking for a policy that declares things like:  UC community members will adhere to the laws surrounding the safeguarding of regulated data” or that “UC community members will not disclose a person’s private medical information to third parties.” When I hear some questions - for example,  “Do I really have to follow the federal and state laws on this topic?” -  I have to wonder if we truly need a policy to tell people to follow their common sense.

I am not saying we don’t need policies. I strongly believe that policies are absolutely necessary as a vehicle to share with our community the behaviors we expect of them in regard to the protection of UC’s data. But these policies should cover topics and areas that are “gray,” which without a policy would require people to guess at the right thing to do, and be written in a manner that helps define the necessary steps people must take to demonstrate they are in compliance and showing due diligence in meeting the intent of applicable laws. Further, each policy must be enforceable ­- and worthy of being enforced.

It is important that UC community members follow their common sense in fulfilling their every day duties and tasks. The courts have ruled that those who do so are not going to be held personally liable for security breaches. In the InfoSec field we call this safety net the principles of “due diligence” or being prudent, both of which are just other ways of saying making common sense decisions. However, the courts have ruled that failure to use common sense in the protection of data and the securing of an IT infrastructure is grounds for holding a person personally liable. Companies are firing IT staff that have failed to use common sense decisions in the protection of data and securing the IT infrastructure for which they are responsible. Policies - and clear and concise instructions - are critical  in areas where it is not clear what approach constitutes common sense.

For example, the State of Ohio requires that we protect SSNs so we do not need a policy that says you must protect SSNs. But we may need a policy that describes ways of protecting SSNs, such as disk or file encryption, using M numbers, database encryption of an SSN field, not storing or using SSNs anywhere it is unnecessary, etcetera. Policies should help non-security community members understand common sense ways of protecting and safeguarding data. 

For more information, please visit http://www.uc.edu/infosec/.

We welcome your coments.


previous article | next article

Return to the Spring 2008 index.