Educause Security Discussion mailing list archives
Re:
From: David Kovarik <david-kovarik () NORTHWESTERN EDU>
Date: Mon, 17 Dec 2007 14:03:19 -0600
Kevin - Seems to me that you "found the balance" required, it's just doesn't happen to be the balance the faculty member wants... Couple of things to consider... - Does this FM retain personally identifiable information as defined by law or UC policy? Illinois has the Personal Information Protection Act which defines what is subject to notification in the event of a security breach. We also have a university policy on handling of SSNs. Neither require encryption (though that may change soon) but recommend it as a practice, and the documents help get their attention. - Can it be shown that the FM has sensitive data stored on PC? We've used Cornell's Spider to discover and show where this data resides; helps to establish the "need" for protection. We have found individuals who thought they had no data but were shown otherwise - that helped them to adapt to policy, or at least appreciate the need for compliance. Maybe cut a deal - if no sensitive data found, no need for encryption; if data is found, get rid of it or encrypt. - The FM's dean may be able to provide some assistance, especially where this is a matter of policy -or- just good sense. - Assuming data is present, and you have a basis in fact for protecting it (like policy, regulation or a recent security incident), then I'd suggest discussing the "noncompliance" position with the provost, and/or human resources and/or general counsel and/or internal audit and ask for guidance (I know that our lawyers are not at all keen on having someone in the university's employ who knowingly places them at risk). You might consider asking any/all of them to put their collective support behind a "you will and will not" statement you'll be happy to draft for them - that might help sway recalcitrant faculty (or not). We have not yet had to do this but on a similar issue, I had one of the attorneys suggest having the non-compliant party sign a document indicating assumption of risk (never came to pass so I don't know how that might work out). After all is said and done, if nobody wants to do anything about it, you can continue to bang your head against the wall (not recommended) or document all that you've done and e-mail that to provost/hr/legal/audit and move on - and hope that this particular FM doesn't get compromised. Frankly, I'd rather everyone abide by policy but sometimes there's no convincing people otherwise. Good luck! Dave Kovarik, ISS/C Northwestern University Office: (847) 467-5930 ________________________________ From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] Sent: Monday, December 17, 2007 11:15 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Hi All: I am having a bit of a tussle with a faculty member who is on one of the committees that already approved UC having a Full Disk Encryption Policy. I won't overload you with the verbose emails that have gone back and forth but it seems that his concern is summed up in that he doesn't want a policy for this as that makes it mandatory and he is making some grandiose blanket statements about the impact to faculty if we have a Full Disk Encryption policy in place. (see below) The policy basically says: all PCs that store restricted data (FERPA, HIPAA, GLB, PCI) will be encrypted with PGP's full disk encryption software at no cost to the individual or department. This software will be supported, as needed, by Central IT. Hi Kevin Encouraging FDE (full disk encryption) is fine. Mandating it - is not. Regarding your comment that "My profession is all about Risk mgt and mitigation". That is the trouble with the policy. Faculty teach, do research, etc. The policy needs to strike a balance. In years past, we had similar discussions about libraries. To protect the books, libraries should simply close their doors. A balance needs to found. The goal of the policy should be to assist professors to follow the law while they do their job. Here's my question: I have talked about how transparent the tool is, my team and I have used it for about 6 months now; I have talked about how as an adjunct I found it easy to use, and I have talked about how this IS a tool that allows faculty to do their job and to safeguard information at the same time. I have also offered to let him try the tool and he has not taken me up on that. The net result I have had is nill. Have any of you had success with a technique to overcome this type of obstacle? I have no doubt that the policy will be approved and moved forward but I would also like to get this very vocal faculty member's support if possible. Thanks, -Kevin Kevin L. McLaughlin CISM, CISSP, PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) 513-558-ISEC (department) UC-Logo-800 CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful.
Current thread:
- Re: David Kovarik (Dec 17)