Re: 3rd Party Spam Services & Data Confidentiality

["Pace, Guy" <gpace () CIS CTC EDU>]

I concur with the sensitive data concerns expressed in other posts. In
addition I'd wonder, from an institutional standards and processes
position, how a college's department was able to get a DNS MX record
placed without some kind of thorough security and oversight review? Did
this process not raise a red flag in IT or IT security? How are
significant DNS changes (and, I would call MX records significant)
processed and approved?

And, I'm not pointing a finger, just offering some rhetorical questions
you might use in your homework. I hope they help.

Guy L. Pace, CISSP
Security Administrator
Center for Information Services (CIS)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724

gpace () cis ctc edu


-----Original Message-----
From: Doug Sandford [mailto:dsandfor () SEEBECK UA EDU] 
Sent: Wednesday, June 07, 2006 7:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] 3rd Party Spam Services & Data Confidentiality

We have a department on campus that, via an MX record, is having all
their e-mail sent through a third party spam checking service. In the
absence of an institutional spam appliance or anything similar, we
understand their reasoning. Don't we all.
My concern is the integrity and confidentiality of institutional data
(FERPA related for example) that passes into the hands of these services
and what they may do with it or who may have access to it. 
What if a piece of mail is quarantined for some reason and it does in
fact contain sensitive data? Does the institution have liability for the
confidentiality of that data now that it is on the vendors server? 
It's my initial reactive position that, since we forward the mail to an
internal institutional address initially, that the department arranging
for the services is responsible for contractual assurances with the
vendor. This issue raised it's ugly head just yesterday so I'm doing
some homework before approaching the powers that be with possible
solutions.
Any thoughts or success stories are welcome. Lurking vendors please be
aware my phone rings constantly all ready. ;)

Thanks in advance... 
Doug Sandford
Information Security Officer
University of Alabama
Seebeck Computer Center
doug () ua edu

This email is intended only for the person to whom it is addressed.  Any
review or other use of this information by persons or entities other
than the intended recipient or any retransmission without the consent of
the sender is prohibited.