Re: Alumni accounts policies

[Ben Parker <bparker () PALOALTONETWORKS COM>]

(Vendor Disclaimer)
Vince,

I might suggest one more issue to look at that I have seen while working with a few schools who continue to let Alumni 
have accounts and also supply Google or Office 365 accounts.

I have seen a couple times where an alumnus might have been at an in between, intern or temporary job and stored quite 
a bit of PII/HIPAA information in Google Drive/OneDrive that school owns. While this typically isn’t the schools direct 
information( it could be if they had access to such data as a student worker) it is very easy to just sit out there or 
get shared with other private emails addresses when they leave. That doesn’t mean the school wouldn’t get blamed for 
the loss of that information if the alumnus had credentials phished.

As I said, I have seen it a few times and from an Alumni account policy standpoint I think it is probably a bigger risk 
than most realize because we haven’t had good visibility into what’s out there where we are dumping lots of 
information. Some thought around what the policy should be on that might be beneficial as well.

Thanks,
Ben Parker

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Vince 
Bonura
Sent: Thursday, September 22, 2016 10:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Alumni accounts policies

Good morning, Everyone!

Our IT Risk & Data Integrity team has been in conversations with our Alumni and Development department regarding, among 
other things, our concern that passwords to access our portal do not expire for any individual with an alumni role.

If the individual was only an alumnus, the risk is exposing FERPA protected data.  However, if that individual was an 
ex-employee, there is greater concern that sensitive work information could be exposed, possibly encompassing PII, etc.

So, I wanted to take this issue to my fellow colleagues, who also deal with risks and data security concerns for their 
respective institutions.  Can you provide your current policies for:

1  Portal access for alumni: How long can they access the portal and what options can they select (e.g. - student 
records, update address and request transcripts, among other access choices)?
2  Portal account password expiration: How long before their account passwords expire? Are expirations different based 
on their role(s)?
3  Email access: How long are their email rights extended for?  Do you wipe out their student email and set them up 
with a clean email account? If their email account is wiped, can they be allowed to forward their email to another 
email address?
Any and all details you can provide would be greatly appreciated.

Please respond to me directly.  For those interested, you can also notify me directly and I will send you my summary of 
responses.

Thanks in advance!

Vince Bonura
IT Risk Analyst

Fordham University
(718) 817-1875