Educause Security Discussion mailing list archives
Re: policy question?
From: "Soldi, Miguel" <MSoldi () UTSYSTEM EDU>
Date: Thu, 4 Nov 2010 15:16:07 -0500
Anand, Jane and Brad bring up very valid points. Here is the link to our policy regarding practices for storage of Confidential University Data on portable and non-University owned computing devices. http://www.utsystem.edu/policy/forms/uts165/Bulletin1_2008.docx I believe that nowadays it is impractical to explicitly forbid but you can attempt to manage the reasons why confidential data end up in certain devices (an important question that is seldom asked for which convenience should not be an easily acceptable answer), who should know about/approve the storage of that data in those devices (addresses part of the accountability question), and if the data is going to end up in those devices anyway what safeguards should be in place. I echo Jane's comment that training and awareness (and I would like to add consequences) are key to this issue. Hope this helps. ms Miguel Soldi University of Texas System Information Security Compliance Office Phone: 512-499-4217 Email: msoldi () utsystem edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rosenthal, Jane E. Sent: Thursday, November 04, 2010 12:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] policy question? The rubber meets the road on this topic and it's a difficult one. For those of you with a policy on Data or Data Classification, you may already have the requirements of handling the information in one manner or another (no matter what device or equipment is the mechanism for dealing with the information). The transmission and/or storage required for information on a home PC or mobile smartphone may be the key-in these tough economic times. You can certain do a blanket policy for any HIPAA units and possibly some others. Training and awareness are keys to this issue as well. _____________________ Jane E. Rosenthal Director | Privacy Office The University of Kansas Voice +1.785.864.9528 | Fax +1.785.864.4463 Email jer () ku edu<mailto:jer () ku edu> | Web http://www.privacy.ku.edu<http://www.privacy.ku.edu/> ________________________________ The information transmitted by this email communication, including any additional pages or attachments, is only for the intended recipient and may contain confidential and/or privileged material. Any interception, review, retransmission, disclosure, dissemination, or other use and/or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at (785) 864-4904, and delete the communication from any computer or network system or dispose of the documents as directed. Thank you. ________________________________ From: Brad Judy [mailto:win-hied () BRADJUDY COM] Sent: Thursday, October 28, 2010 2:51 PM Subject: Re: policy question? Be careful with such a policy. Between research funding and personal funding, a lot of faculty equipment might not technically belong to the university. Just ask a typical research lab what items would move with them if the PI decided to move to another university. Certain types of schools might be able to provide for all faculty needs with institutionally-owned computers and equipment, but many would have major problems without "personally owned" items in use. Not to mention the vast amount of university business that is done on personally owned cell phones and smart phones. Plus, there's the issue of third-party owned equipment on the university network, but that issue has an option of contractual security requirements. Brad Judy Emory University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand S Malwade Sent: Thursday, October 28, 2010 3:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] policy question? I was wondering if other institutions have a general Policy that a) explicitly prohibits Employees and administrators from using personal laptops or computing equipment for conducting university business ? The Assumption is that they are provided university owned equipment with standard images with up to-date security updates and protection. b) Prohibits Student Workers/GA's from handling confidential information when working with certain departments. Thanks, Anand Anand Malwade IT Security Seton Hall University
Current thread:
- Re: policy question?, (continued)
- Re: policy question? SCHALIP, MICHAEL (Oct 28)
- Re: policy question? Dr. Wole Akpose (Oct 29)
- Re: policy question? randy marchany (Oct 29)
- Re: policy question? Joel Rosenblatt (Oct 29)
- Re: policy question? SCHALIP, MICHAEL (Oct 29)
- Re: policy question? Bristol, Gary L. (Oct 29)
- Re: policy question? randy marchany (Oct 29)
- Re: policy question? Valdis Kletnieks (Oct 29)
- Re: policy question? Dr. Wole Akpose (Oct 29)
- Re: policy question? SCHALIP, MICHAEL (Oct 28)
- Re: policy question? Soldi, Miguel (Nov 04)