Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question about confidential data in emails.

From: Frank Barton <bartonf () HUSSON EDU>
Date: Tue, 6 Mar 2018 09:27:45 -0500
Sherry, I would try to "spin" it as an educational opportunity for your
students.

while they may trust you, you want to get them in the habit of trying to
find secure methods to get data from them to anybody that needs the data.
Just because they trust you doesn't mean that they should trust... Comfort
Inn when they ask for credit card information to be emailed to them...

By making your students aware of data security early (and often) it will
serve them well as they graduate and move into their respective
professional careers (doubly so if they are going into a highly regulated
field such as healthcare, banking, etc.)

We have inbound policies (as described previously) about what to do when
messages come in, but we also have outbound DLP filters that will reject a
message, and indicate secure ways to send the data in the bounce message.

Frank

On Tue, Mar 6, 2018 at 9:14 AM, Pesino, Sherry <SPesino () commnet edu> wrote:


We have discussed not accepting the emails. This should work for emails
received from organizations, like other state agencies, (yes some still
send confidential data via email) but what if a student sends copies of tax
returns or other confidential data via email. Most of our registrars and
financial aid folks would be reluctant to send it back to a student. Not
wanting to give the student additional hoops to jump through.



Sherry



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Jones, Mark B
*Sent:* Tuesday, March 6, 2018 9:00 AM

*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Question about confidential data in emails.



This sounds like what I was trying to say, but Frank did a better job of
it.



+1



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Frank Barton
*Sent:* Tuesday, March 06, 2018 7:11 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Question about confidential data in emails.



This is actually a question that came up as part of our PCI process.



The 'official' response that we got to our question was that

(a) we should make sure that we indicate not to send [CHD] over email

(b) We should not process anything based on the information we received
over email

(c) we should redact and reply that we can't process it based on
unencrypted email.

(d) delete the original email



Frank



On Mon, Mar 5, 2018 at 9:16 AM, Austin Bollinger <austinbollinger () grcc edu>
wrote:

In your Office 365 environment, you may use DLP policy
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.office.com_en-2Dus_article_create-2Da-2Ddlp-2Dpolicy-2Dfrom-2Da-2Dtemplate-2D59414438-2D99f5-2D488b-2D975c-2D5023f2254369%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3DuE_O55sBR5xfGS0tcfb-YoynZmNq0SmmSyEOtuVUZ6U%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=fw0cHn5fLE3rNk%2FCbotmM1B3zhQQnsWMmLwxl%2BUhjuI%3D&reserved=0>
 for
locating emails containing confidential info.



Then it sounds like you want to delete emails within your organization
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.office.com_en-2Dus_article_search-2Dfor-2Dand-2Ddelete-2Demail-2Dmessages-2Din-2Dyour-2Doffice-2D365-2Dorganization-2Dadmin-2Dhelp-2D3526fd06-2Db45f-2D445b-2Daed4-2D5ebd37b3762a%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3D5oDPU_x1Al0RwobmJIYDoTLZV7Vs2gm6oTgemGUenTU%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=ql1KXM7qm64ckh7q7M9px6GuXVtve7HQS%2BxrI0SzC6U%3D&reserved=0>
.



Beyond this, you may want an email security gateway solution or service.
One vendor that comes to mind is Barracuda, there is Essentials for an
all-in-one
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.barracuda.com_products_essentials%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3DzBVV7ko-GX7hb9co-YI3xuXzlEV7diTg9Tmb1g471UI%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=QZ9j9a1wzMUZm1%2FyIffEQ1b%2F3142p6ixZSuQjKCtoJk%3D&reserved=0>
 supporting Office
365.





Best Regards,

*Austin Bollinger*

Information Security Analyst

IT at Grand Rapids Community College

(616) 234-2537

*austinbollinger () grcc edu <austinbollinger () grcc edu>* | *www.grcc.edu/informationtechnology/informationsecurity
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__www.grcc.edu_informationtechnology_informationsecurity%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3DrdH_guo8WcfDMANpaNgFe5PpYG6VUSTvIR9NnpfAO2Y%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=3XGfdMAE4NvrrkqpwCHVx9i4Z8jLLQ1AKEgUtFV77po%3D&reserved=0>*




"Martinez, Brian" <brm () MSU EDU> 3/5/2018 8:21 AM >>>


Why, you’d almost need some sort of… Reverse DLP?!



Seriously though, I realize Mark clarified what he meant, but I did spend
a few minutes this morning trying to find if something like that existed.
How does one prevent themselves from accidentally receiving confidential
information? NDA was the best answer I could find via Google. But even if
you’ve signed one with the vendor, that doesn’t prevent it from showing up
in your inbox.



Any interesting area of thought though. “Limit your liability by
preventing the receiving of confidential data. [Buy|Download] our product!”
Something cybersecurity insurers will no doubt be working on in just a few
years’ time. :)



Cheers!



Brian R. Martinez

Information Security

Michigan State University

Office: +1-517-884-8791 <(517)%20884-8791>

brm () msu edu



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Hudson, Edward
*Sent:* Monday, March 5, 2018 12:23 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Question about confidential data in emails.



I am curious how one would do that (Refuse to receive confidential data
sent by unencrypted email).



Thanks
Ed





Ed Hudson

Interim Chief Information Security Officer

[image:
/Users/ehudson/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_484909560]

401 Golden Shore
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__maps.google.com_-3Fq-3D401-2BGolden-2BShore-2B-250A-2BLong-2BBeach-2C-2BCA-2B90802-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3D6lgsBxQqREse_fmVdYv_0j8H8lOkbpLpKQ72-s5D6bw%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=2l5BP9z6sC6u4CyTHc6UyovKANYyJ4JqD%2BNcH1YSuxI%3D&reserved=0>

Long Beach, CA 90802
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__maps.google.com_-3Fq-3D401-2BGolden-2BShore-2B-250A-2BLong-2BBeach-2C-2BCA-2B90802-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3D6lgsBxQqREse_fmVdYv_0j8H8lOkbpLpKQ72-s5D6bw%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=2l5BP9z6sC6u4CyTHc6UyovKANYyJ4JqD%2BNcH1YSuxI%3D&reserved=0>

Tel 562-951-8431 <(562)%20951-8431>

ehudson () calstate edu



I subscribe to e-mail classification: i=Information, a=Action, u=Urgent







*From: *The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Jones, Mark B" <
Mark.B.Jones () UTH TMC EDU>
*Reply-To: *The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU>
*Date: *Sunday, March 4, 2018 at 7:51 PM
*To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
*Subject: *Re: [SECURITY] Question about confidential data in emails.



I’m not sure if we have a policy for this.

My personal opinion is that such mail should be rejected.  You should
refuse to receive confidential data via unencrypted email.





*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Pesino, Sherry
*Sent:* Wednesday, February 28, 2018 1:31 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Question about confidential data in emails.



Looking for some guidance in dealing with confidential data in email.



How do you handle when outside entities send confidential data via email
and that email needs to be retained and if not, then how is it securely
deleted? Saving an email out of an O365 mailbox and deleting an email may
not securely remove the mail in all forms that Microsoft stores that email
in the mailbox. Scrubbing the info from inside an email may not fully scrub
it.   Just wondering if there are any procedures anyone uses to securely
redact/scrub content from an email and procedures for handling when
confidential data is sent from an outside entity?



Thank you,

Sherry

____________

Sherry Pesino

Information Security Program Office

Connecticut State Colleges and Universities

61 Woodland Street
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__maps.google.com_-3Fq-3D61-2BWoodland-2BStreet-2B-250A-2BHartford-2C-2BCT-2B06105-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3Dmktv0_t-OiO84kEq3Oz_-qJAk_tBXT_6d7J9qPtjHdM%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=BdAcN5X10ZtZBtcIhzuNBSSfvUbBfVSfhUig12r2qGw%3D&reserved=0>

Hartford, CT 06105
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__maps.google.com_-3Fq-3D61-2BWoodland-2BStreet-2B-250A-2BHartford-2C-2BCT-2B06105-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3Dmktv0_t-OiO84kEq3Oz_-qJAk_tBXT_6d7J9qPtjHdM%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=BdAcN5X10ZtZBtcIhzuNBSSfvUbBfVSfhUig12r2qGw%3D&reserved=0>

860-723-0021 <(860)%20723-0021>

pesinos () ct edu







--

Frank Barton

Security+, ACMT, MCP

IT Systems Administrator

Husson University





-- 
Frank Barton
Security+, ACMT, MCP
IT Systems Administrator
Husson University

Previous By Date Next
Previous By Thread Next

Current thread: