1. Plugging the Policy Gap: If You Build It, Governance Will Follow Ian Taylor University of Washington Copyright Ian Taylor, 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2. Areas of focus Policy issues around Identity Management Policy issues around Identity Management Controlling Access to systems and data Controlling Access to systems and data Management and distribution of PII Management and distribution of PII Protection of privileged information Protection of privileged information The chain of delegated authority The chain of delegated authority Finding the Owners, Custodians, Stewards Finding the Owners, Custodians, Stewards And holding them accountable! And holding them accountable!

3. The fundamental problem Technology solutions outpace the development of policy and formal practice. Technology solutions outpace the development of policy and formal practice. Those who develop technology solutions are not (normally) responsible for developing institutional policy. Those who develop technology solutions are not (normally) responsible for developing institutional policy. Those responsible for formulating institutional policy are (normally) positioned outside of the IT organization. Those responsible for formulating institutional policy are (normally) positioned outside of the IT organization.

4. The risks Practices and procedures develop in an ad hoc fashion, without guidance or oversight Practices and procedures develop in an ad hoc fashion, without guidance or oversight Might be good, but will probably be poor. Might be good, but will probably be poor. Non-compliance with institutional standards, state and Federal regulations: liability issues. Non-compliance with institutional standards, state and Federal regulations: liability issues. Real risks to real people: PII exposure, ID theft, personal danger (stalking). Real risks to real people: PII exposure, ID theft, personal danger (stalking).

5. What we’ve done about it Security Middleware unit formed 2003, consolidating Security Middleware unit formed 2003, consolidating Person Registry Person Registry Pubcookie (SSO) Pubcookie (SSO) White Pages and other LDAP directories White Pages and other LDAP directories Privilege Management system (ASTRA) Privilege Management system (ASTRA) Certificate Authority Certificate Authority … etc … etc Main focus of efforts: Main focus of efforts: Consolidating, rebuilding, extending Consolidating, rebuilding, extending Preparing for future services Preparing for future services Responding to client demands Responding to client demands Searched for Policy guidance Searched for Policy guidance

6. Case: ASTRA Privilege Management Deployed 2003, created Delegator and Authorizer roles reflecting the hierarchy of control and the organizational structure of the University. Deployed 2003, created Delegator and Authorizer roles reflecting the hierarchy of control and the organizational structure of the University. These roles were not previously defined and did not exist. We worked directly with the Executive Vice President and Provost to create a delegation process which produced an authoritative chart of these designees. These roles were not previously defined and did not exist. We worked directly with the Executive Vice President and Provost to create a delegation process which produced an authoritative chart of these designees.

7. Case: Student Groups Groups Directory Service supplies Course Groups to departmental system developers, for the purpose of managing access to services and resources. Groups Directory Service supplies Course Groups to departmental system developers, for the purpose of managing access to services and resources. The release of student data in this fashion raised several FERPA policy questions. We worked directly with the Registrar to develop a lightweight registration and approval process for the use of this data. The release of student data in this fashion raised several FERPA policy questions. We worked directly with the Registrar to develop a lightweight registration and approval process for the use of this data.

8. Techniques, tips, experiences Build it anyway. Build it anyway. Research, read, and reflect existing published policies. Ask questions. Research, read, and reflect existing published policies. Ask questions. Be prepared for The Brush-off. Be prepared for The Brush-off. Presumptive Close. Presumptive Close. Deal with whoever will deal with you. Deal with whoever will deal with you. Communicate, communicate, communicate. Communicate, communicate, communicate.

9. The Beams of New College How Buildings Learn, by Stewart Brand The anthropologist/philosopher Gregory Bateson used to tell a story: New College, Oxford, is of rather late foundation, hence the name. It was founded around the late 14th century. It has, like other colleges, a great dining hall with big oak beams across the top, yes? These might be two feet square, forty-five feet long. A century ago, so I am told, some busy entomologist went up into the roof of the dining hall with a penknife and poked at the beams and found that they were full of beetles. This was reported to the College Council, who met in some dismay, because where would they get beams of that caliber nowadays?

10. The Beams of New College How Buildings Learn, by Stewart Brand One of the Junior Fellows stuck his neck out and suggested that there might be on College lands some oak. These colleges are endowed with pieces of land scattered across the country. So they called in the College Forester, who of course had not been near the college itself for some years and asked him about oaks. And he pulled his forelock and said, “Well sirs, we was wonderin’ when you’d be askin’.”

11. The Beams of New College How Buildings Learn, by Stewart Brand Upon further inquiry it was discovered that when the College was founded, a grove of oaks had been planted to replace the beams in the dining hall when they became beetly, because oak beams always become beetly in the end. This plan had been passed down from one Forester to the next for five hundred years. “You don’t cut them oaks. Them’s for the College Hall.” A nice story. That’s the way to run a culture.

12. The Middleware Architect Building infrastructure (growing trees) for the future, quietly waiting out the storms and tempests of university administration; waiting for the day they realize that they need what we’ve built (grown) more than they ever knew. Building infrastructure (growing trees) for the future, quietly waiting out the storms and tempests of university administration; waiting for the day they realize that they need what we’ve built (grown) more than they ever knew. Then they’ll create policy around what already exists. Then they’ll create policy around what already exists.