Re: Do students hold universities accountable for protecting their information?

[Josh Callahan <josh.callahan () HUMBOLDT EDU>]

I like the idea of flipping the question.  To "Do we hold ourselves
accountable for our student's information that we hold?" I think we can be
an enthusiastic "Yes!"  That's why we are here and in my experience we are
dedicated and passionate about holding ourselves accountable as individuals
and a community to increasingly high standards.

What I was trying to get at initially was we don't currently have a
regulatory and legal environment that allows individuals much ability to h
old institutions accountable around privacy - but that's coming in fast.

-Josh

On Tue, Jun 12, 2018, 6:02 AM Ruth Ginzberg <rginzberg () uwsa edu> wrote:

> Procurement here:
>
>
>
> I think you also need to think about educating your constituents about
> reading privacy policies, which means reading beyond the first couple of
> paragraphs.
>
>
>
> I cannot tell you how many privacy policies I have seen that start out
> saying, “[Company name] cares about your privacy and takes it very
> seriously…” and then go on to spell out the most egregious violations of
> users’ privacy (often on page 8 or page 33 or some other section much
> further down in the privacy document than most users will ever read).
>
>
>
>
>
> Ruth Ginzberg
> Sr. I.T. Procurement Specialist
> University of Wisconsin System
> 608-890-3961
>
> Sent from Surface tablet by Mail for Windows 10
>
>
> ------------------------------
> *From:* The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Frank Barton <
> bartonf () HUSSON EDU>
> *Sent:* Tuesday, June 12, 2018 7:37:28 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Do students hold universities accountable for
> protecting their information?
>
> I like Robert's response, and I really like Brad's breakdown of the
> various ways that 'accountability' can be perceived.
>
> I think the flip question is: Do we hold ourselves accountable for our
> student's information that we hold?
>
> This is a much harder question to answer. Now we are not only looking at
> regulations, but also policies, and interpretation of policies, and
> differences between various groups/offices on campus. As IT, I want to say
> that "yes, we as an institution are holding ourselves accountable for
> student's personal information", but I also know that we have multiple
> layers of DLP, audit trails, and other protective measures in place because
> we know that mistakes happen, humans are only human after all.
>
> Where I can say that we (academic institutions as a whole) are probably
> not doing as well as we could, is educating our students on how best to
> protect their own information: Malware, social media exposure, how to
> protect home networks, adware, spyware, phishing, etc... we have many
> layers of protection that we put on the networks and systems that we
> manage, and there is little understanding outside of our offices as to what
> we do, and why, and how individuals, not just organizations, are targets.
> We have had individual faculty members ask us to present to their class
> about information security, but this is the exception rather than the rule.
>
> How are other schools ensuring that they are educating all students to
> make sure that they are at least aware of the threats against them and
> their personal information?
>
> Frank
>
> On Tue, Jun 12, 2018 at 7:41 AM, John Ramsey <
> jramsey () studentclearinghouse org> wrote:
>
> > National Student Clearinghouse provides third party services to many of
> > the universities and colleges.  Many (if not most) of your schools are
> > exceptionally diligent in ensuring that we’re protecting your students’
> > data.  I can say from direct interaction with the schools, you do hold us
> > to a high standard for protecting “your” students’ data.  I’d think the
> > accountability of third party services might range anywhere from a company
> > that performs transcript services to a company that provides cloud services
> > (such as Office 365) or even something where student data is accessible via
> > cloud services or mobile devices.  Where I’m going with this is that as a
> > third party, it seems as a results of student’s holding universities
> > accountable to protect their data, you’re holding third party services to a
> > high standard to ensure you’re accountable to not only the schools but the
> > students and their parents.
> >
> >
> >
> > John
> >
> >
> >
> > *John Ramsey*, Chief Information Security Officer, *National Student
> > Clearinghouse*
> >
> > Certified:  CISSP, CISM, PMP, CSSLP, CRISC, CGEIT
> > 2300 Dulles Station Blvd., Suite 220, Herndon, VA 20171
> > <https://maps.google.com/?q=2300+Dulles+Station+Blvd.,+Suite+220,+Herndon,+VA+20171&entry=gmail&source=g>
> >
> > P: 703.742.4428  |   http://www.studentclearinghouse.org
> >
> > Read the *Clearinghouse Today Blog* <https://nscblog.org/>
> >
> > *Winner “2016 When Work Works” & “Excellence in Work-Life Balance”*
> >
> >
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Brad Judy
> > *Sent:* Monday, June 11, 2018 4:40 PM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> >
> > *Subject:* Re: [SECURITY] Do students hold universities accountable for
> > protecting their information?
> >
> >
> >
> > To summarize some of the points made here (as well as my own thoughts), I
> > think you can pull this together as a can/should/do form:
> >
> >
> >
> >    - *Can (rights)* individuals hold institutions accountable (are there
> >    supporting laws/policies/etc that set that right or expectation?) – Yes, we
> >    have some laws in that space (FERPA, HIPAA) and many schools have related
> >    policies. What individuals “can” do is also evolving with privacy law
> >    changes.
> >    - *Can (capability) *individuals hold institutions accountable? –
> >    This is much harder to answer and the honest response is probably “the vast
> >    majority of individuals do not have the capability themselves.” They need
> >    assistance to understand the laws, gather information, interface with
> >    organizations, etc.
> >    - *Should *individuals hold institutions accountable for data
> >    security/privacy – Yes, I think it’s good for anyone to hold any
> >    organization accountable for meeting privacy/security
> >    requirements/expectations.
> >       - Should all of the responsibility of accountability oversight be
> >       on the individual? No, I don’t think so.  One of the reasons we have
> >       accountability offices and watchdog groups is the challenge of the
> >       capability issue.  Even if we lower the bar on those challenges, it will
> >       likely still remain out of reach for many individuals.
> >    - *Do* individuals hold institutions accountable?  - Sometimes, but
> >    it seems pretty infrequent.  I would guess this is due to a mix of lack of
> >    personal priority/interest and the capability challenge.
> >
> >
> >
> > At the moment, pushing accountability on privacy often requires
> > assistance from third-parties (non-profits, governments, etc.). Some of the
> > movement we see in data privacy and security is putting options/tools into
> > the hands of individuals to ask questions not just about “What data do you
> > have about me?” but also “How do you use that data?” and “Who have you
> > given that data to?”  Perhaps someday it will be easier for an individual
> > to understand how organizations handle your personal data, but for now,
> > this issue is still in a very messy adolescent phase.
> >
> >
> >
> > Brad Judy
> >
> >
> >
> > Information Security Officer
> >
> > Office of Information Security
> >
> > University of Colorado
> > 1800 Grant Street, Suite 300
> > <https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D%0ADenver,+CO++80203+%0D%0A+Office:+(303&entry=gmail&source=g>
> > Denver, CO  80203
> > <https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D%0ADenver,+CO++80203+%0D%0A+Office:+(303&entry=gmail&source=g>
> >
> > Office: (303
> > <https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D%0ADenver,+CO++80203+%0D%0A+Office:+(303&entry=gmail&source=g>)
> > 860-4293
> >
> > Fax: (303) 860-4302
> >
> > www.cu.edu
> >
> >
> >
> > [image: cu-logo_fl]
> >
> >
> >
> >
> >
> >
> >
> > *From: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of
> > Paige Francis <paige () UARK EDU>
> > *Reply-To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
> > *Date: *Monday, June 11, 2018 at 2:10 PM
> > *To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
> > *Subject: *Re: [SECURITY] Do students hold universities accountable for
> > protecting their information?
> >
> >
> >
> > I’m not sure if they hold us accountable but I do believe they absolutely
> > have that expectation. In addition, with FERPA and HIPAA we’re bound to
> > safeguard protected data.
> >
> >
> >
> > --
> >
> > *Paige Francis*
> > Associate CIO, University of Arkansas
> >
> > Fayetteville, AR #UARK #GoHogs
> >
> >
> >
> > Need IT Help? <https://its.uark.edu/> | Twitter
> > <https://twitter.com/CIOPaige> | LinkedIn
> > <https://www.linkedin.com/in/paigefrancis/> | Blog
> > <https://www.linkedin.com/in/paigefrancis/>
> >
> >
> >
> > *From: *The EDUCAUSE Security Constituent Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "McIntosh, Keith" <
> > kmcintosh () RICHMOND EDU>
> > *Reply-To: *The EDUCAUSE Security Constituent Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU>
> > *Date: *Monday, June 11, 2018 at 9:07 AM
> > *To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
> > *Subject: *[SECURITY] Do students hold universities accountable for
> > protecting their information?
> >
> >
> >
> > Colleagues,
> >
> >
> >
> > Someone recently asked me the following question and I wondered what you
> > would say.   I believe students and parents have reasonable expectations
> > that we are both protecting their information and ensuring privacy.
> >
> >
> >
> > *  Do students hold universities accountable for protecting their
> > information?  *
> >
> >
> >
> >
> >
> > *Keith W. "Mac" McIntosh*
> >
> > he/his/him
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mypronouns.org_&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=9ZKxtGifiJT_omfG3l59i0uii-6HEcp-4bOI_XeNt58&e=>
> >
> > Vice President and Chief Information Officer
> >
> > Information Services
> >
> >
> > Jepson Hall G-12
> >
> > 28 Westhampton Way
> > <https://maps.google.com/?q=28+Westhampton+Way&entry=gmail&source=g>
> >
> > University of Richmond, VA 23173
> >
> > Office: 804.289.8771
> >
> > Fax: 804.289.8988
> >
> > http://is.richmond.edu
> > <https://urldefense.proofpoint.com/v2/url?u=http-3A__is.richmond.edu_&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=90YlN-N0Ju2PBK4xgYEsTM3k3lRUUnkwKAc-OBTeK-I&e=>
> >
> >
> > Email: kmcintosh () richmond edu
> >
> > Twitter: @
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_Keith-5FMcIntosh&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=i_IyoJXiAP-3SUHk3zFgcVFLCwKMzDYy-9FVM8y16mQ&e=>
> > Keith_McIntosh
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_Keith-5FMcIntosh&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=i_IyoJXiAP-3SUHk3zFgcVFLCwKMzDYy-9FVM8y16mQ&e=>
> >
> >
> >
> > =======================================================
> >
> > This message has been analyzed by Deep Discovery Email Inspector.
>
>
>
> --
> Frank Barton
> Security+, ACMT, MCP
> IT Systems Administrator
> Husson University