Educause Security Discussion mailing list archives
Re: Question about confidential data in emails.
From: Thomas Carter <tcarter () AUSTINCOLLEGE EDU>
Date: Tue, 6 Mar 2018 14:27:40 +0000
From discussions with our financial aid folks, it sounds like the Department of Education will begin requiring something like this for all financial aid communications. As I understand it, you must have a secure method of communicating sensitive data and if you receive it via email, follow Frank’s process below along with instructions on how to send the data using the secure method. Thomas Carter Network & Operations Manager / IT Austin College 900 North Grand Avenue Sherman, TX 75090 Phone: 903-813-2564 www.austincollege.edu<http://www.austincollege.edu/> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pesino, Sherry Sent: Tuesday, March 6, 2018 8:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Question about confidential data in emails. We have discussed not accepting the emails. This should work for emails received from organizations, like other state agencies, (yes some still send confidential data via email) but what if a student sends copies of tax returns or other confidential data via email. Most of our registrars and financial aid folks would be reluctant to send it back to a student. Not wanting to give the student additional hoops to jump through. Sherry From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, Mark B Sent: Tuesday, March 6, 2018 9:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Question about confidential data in emails. This sounds like what I was trying to say, but Frank did a better job of it. +1 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank Barton Sent: Tuesday, March 06, 2018 7:11 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Question about confidential data in emails. This is actually a question that came up as part of our PCI process. The 'official' response that we got to our question was that (a) we should make sure that we indicate not to send [CHD] over email (b) We should not process anything based on the information we received over email (c) we should redact and reply that we can't process it based on unencrypted email. (d) delete the original email Frank On Mon, Mar 5, 2018 at 9:16 AM, Austin Bollinger <austinbollinger () grcc edu<mailto:austinbollinger () grcc edu>> wrote: In your Office 365 environment, you may use DLP policy<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.office.com_en-2Dus_article_create-2Da-2Ddlp-2Dpolicy-2Dfrom-2Da-2Dtemplate-2D59414438-2D99f5-2D488b-2D975c-2D5023f2254369%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3DuE_O55sBR5xfGS0tcfb-YoynZmNq0SmmSyEOtuVUZ6U%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=fw0cHn5fLE3rNk%2FCbotmM1B3zhQQnsWMmLwxl%2BUhjuI%3D&reserved=0> for locating emails containing confidential info. Then it sounds like you want to delete emails within your organization<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.office.com_en-2Dus_article_search-2Dfor-2Dand-2Ddelete-2Demail-2Dmessages-2Din-2Dyour-2Doffice-2D365-2Dorganization-2Dadmin-2Dhelp-2D3526fd06-2Db45f-2D445b-2Daed4-2D5ebd37b3762a%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3D5oDPU_x1Al0RwobmJIYDoTLZV7Vs2gm6oTgemGUenTU%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=ql1KXM7qm64ckh7q7M9px6GuXVtve7HQS%2BxrI0SzC6U%3D&reserved=0>. Beyond this, you may want an email security gateway solution or service. One vendor that comes to mind is Barracuda, there is Essentials for an all-in-one<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.barracuda.com_products_essentials%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3DzBVV7ko-GX7hb9co-YI3xuXzlEV7diTg9Tmb1g471UI%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=QZ9j9a1wzMUZm1%2FyIffEQ1b%2F3142p6ixZSuQjKCtoJk%3D&reserved=0> supporting Office 365. Best Regards, Austin Bollinger Information Security Analyst IT at Grand Rapids Community College (616) 234-2537<tel:(616)%20234-2537> austinbollinger () grcc edu<mailto:austinbollinger () grcc edu> | www.grcc.edu/informationtechnology/informationsecurity<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__www.grcc.edu_informationtechnology_informationsecurity%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3DrdH_guo8WcfDMANpaNgFe5PpYG6VUSTvIR9NnpfAO2Y%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=3XGfdMAE4NvrrkqpwCHVx9i4Z8jLLQ1AKEgUtFV77po%3D&reserved=0>
"Martinez, Brian" <brm () MSU EDU<mailto:brm () MSU EDU>> 3/5/2018 8:21 AM >>>
Why, you’d almost need some sort of… Reverse DLP?! Seriously though, I realize Mark clarified what he meant, but I did spend a few minutes this morning trying to find if something like that existed. How does one prevent themselves from accidentally receiving confidential information? NDA was the best answer I could find via Google. But even if you’ve signed one with the vendor, that doesn’t prevent it from showing up in your inbox. Any interesting area of thought though. “Limit your liability by preventing the receiving of confidential data. [Buy|Download] our product!” Something cybersecurity insurers will no doubt be working on in just a few years’ time. :) Cheers! Brian R. Martinez Information Security Michigan State University Office: +1-517-884-8791<tel:(517)%20884-8791> brm () msu edu<mailto:brm () msu edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Hudson, Edward Sent: Monday, March 5, 2018 12:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Question about confidential data in emails. I am curious how one would do that (Refuse to receive confidential data sent by unencrypted email). Thanks Ed Ed Hudson Interim Chief Information Security Officer [/Users/ehudson/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_484909560] 401 Golden Shore<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__maps.google.com_-3Fq-3D401-2BGolden-2BShore-2B-250A-2BLong-2BBeach-2C-2BCA-2B90802-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3D6lgsBxQqREse_fmVdYv_0j8H8lOkbpLpKQ72-s5D6bw%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=2l5BP9z6sC6u4CyTHc6UyovKANYyJ4JqD%2BNcH1YSuxI%3D&reserved=0> Long Beach, CA 90802<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__maps.google.com_-3Fq-3D401-2BGolden-2BShore-2B-250A-2BLong-2BBeach-2C-2BCA-2B90802-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3D6lgsBxQqREse_fmVdYv_0j8H8lOkbpLpKQ72-s5D6bw%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=2l5BP9z6sC6u4CyTHc6UyovKANYyJ4JqD%2BNcH1YSuxI%3D&reserved=0> Tel 562-951-8431<tel:(562)%20951-8431> ehudson () calstate edu<mailto:ehudson () calstate edu> I subscribe to e-mail classification: i=Information, a=Action, u=Urgent From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU<mailto:Mark.B.Jones () UTH TMC EDU>> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Sunday, March 4, 2018 at 7:51 PM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Question about confidential data in emails. I’m not sure if we have a policy for this. My personal opinion is that such mail should be rejected. You should refuse to receive confidential data via unencrypted email. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pesino, Sherry Sent: Wednesday, February 28, 2018 1:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Question about confidential data in emails. Looking for some guidance in dealing with confidential data in email. How do you handle when outside entities send confidential data via email and that email needs to be retained and if not, then how is it securely deleted? Saving an email out of an O365 mailbox and deleting an email may not securely remove the mail in all forms that Microsoft stores that email in the mailbox. Scrubbing the info from inside an email may not fully scrub it. Just wondering if there are any procedures anyone uses to securely redact/scrub content from an email and procedures for handling when confidential data is sent from an outside entity? Thank you, Sherry ____________ Sherry Pesino Information Security Program Office Connecticut State Colleges and Universities 61 Woodland Street<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__maps.google.com_-3Fq-3D61-2BWoodland-2BStreet-2B-250A-2BHartford-2C-2BCT-2B06105-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3Dmktv0_t-OiO84kEq3Oz_-qJAk_tBXT_6d7J9qPtjHdM%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=BdAcN5X10ZtZBtcIhzuNBSSfvUbBfVSfhUig12r2qGw%3D&reserved=0> Hartford, CT 06105<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__maps.google.com_-3Fq-3D61-2BWoodland-2BStreet-2B-250A-2BHartford-2C-2BCT-2B06105-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3Dmktv0_t-OiO84kEq3Oz_-qJAk_tBXT_6d7J9qPtjHdM%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=BdAcN5X10ZtZBtcIhzuNBSSfvUbBfVSfhUig12r2qGw%3D&reserved=0> 860-723-0021<tel:(860)%20723-0021> pesinos () ct edu<mailto:pesinos () ct edu> -- Frank Barton Security+, ACMT, MCP IT Systems Administrator Husson University
Current thread:
- Question about confidential data in emails. Pesino, Sherry (Feb 28)
- Re: Question about confidential data in emails. Jones, Mark B (Mar 04)
- <Possible follow-ups>
- Re: Question about confidential data in emails. Hudson, Edward (Mar 04)
- Re: Question about confidential data in emails. Jones, Mark B (Mar 04)
- Re: Question about confidential data in emails. Martinez, Brian (Mar 05)
- Re: Question about confidential data in emails. Austin Bollinger (Mar 05)
- Re: Question about confidential data in emails. Frank Barton (Mar 06)
- Re: Question about confidential data in emails. Jones, Mark B (Mar 06)
- Re: Question about confidential data in emails. Pesino, Sherry (Mar 06)
- Re: Question about confidential data in emails. Thomas Carter (Mar 06)
- Re: Question about confidential data in emails. Frank Barton (Mar 06)