Educause Security Discussion mailing list archives
Re: Alumni accounts policies
From: Ben Parker <bparker () PALOALTONETWORKS COM>
Date: Thu, 22 Sep 2016 15:19:16 +0000
(Vendor Disclaimer) Vince, I might suggest one more issue to look at that I have seen while working with a few schools who continue to let Alumni have accounts and also supply Google or Office 365 accounts. I have seen a couple times where an alumnus might have been at an in between, intern or temporary job and stored quite a bit of PII/HIPAA information in Google Drive/OneDrive that school owns. While this typically isn’t the schools direct information( it could be if they had access to such data as a student worker) it is very easy to just sit out there or get shared with other private emails addresses when they leave. That doesn’t mean the school wouldn’t get blamed for the loss of that information if the alumnus had credentials phished. As I said, I have seen it a few times and from an Alumni account policy standpoint I think it is probably a bigger risk than most realize because we haven’t had good visibility into what’s out there where we are dumping lots of information. Some thought around what the policy should be on that might be beneficial as well. Thanks, Ben Parker From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Vince Bonura Sent: Thursday, September 22, 2016 10:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Alumni accounts policies Good morning, Everyone! Our IT Risk & Data Integrity team has been in conversations with our Alumni and Development department regarding, among other things, our concern that passwords to access our portal do not expire for any individual with an alumni role. If the individual was only an alumnus, the risk is exposing FERPA protected data. However, if that individual was an ex-employee, there is greater concern that sensitive work information could be exposed, possibly encompassing PII, etc. So, I wanted to take this issue to my fellow colleagues, who also deal with risks and data security concerns for their respective institutions. Can you provide your current policies for: 1 Portal access for alumni: How long can they access the portal and what options can they select (e.g. - student records, update address and request transcripts, among other access choices)? 2 Portal account password expiration: How long before their account passwords expire? Are expirations different based on their role(s)? 3 Email access: How long are their email rights extended for? Do you wipe out their student email and set them up with a clean email account? If their email account is wiped, can they be allowed to forward their email to another email address? Any and all details you can provide would be greatly appreciated. Please respond to me directly. For those interested, you can also notify me directly and I will send you my summary of responses. Thanks in advance! Vince Bonura IT Risk Analyst Fordham University (718) 817-1875
Current thread:
- Alumni accounts policies Vince Bonura (Sep 22)
- Re: Alumni accounts policies Ben Parker (Sep 22)