Educause Security Discussion mailing list archives

Re: Policy - Employees using personal storage

From: "King, Ronald A." <raking () NSU EDU>
Date: Thu, 15 Aug 2019 15:57:28 +0000

[Playing catch up here.]

Thanks for your insight.

To answer the question, none. The approach is to educate on the problems with “free” cloud storage. We are an O365 shop 
and use OneDrive. So, we coach them to migrate to it rather than discipline. Most don’t understand the risks and want 
to do the right thing.

We get the usual sales message from Dropbox of how many NSU.edu addresses are used for accounts, but, we do not know 
how much data being stored by those accounts is the University’s.

While I would like to have multiple options for our faculty and staff, having multiple cloud storage services is cost 
prohibitive for us. Not just money, but human as well.

We do allow use by students.

Thanks again,
Ron

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<http://www.nsu.edu/>
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jack Suess
Sent: Friday, July 19, 2019 11:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Policy - Employees using personal storage

Ronald,

How many faculty or staff  have you disciplined for using a personal 3rd party storage service?

I ask because it is 1) easy to state you can't do this, and 2) very difficult to actually enforce this. I don't 
disagree with policy that is a CYA but legally, if you don't enforce your policies you can end up complicit in a 
violation of policy.

Our strategy is we have institutional agreements with Box, google, and microsoft 365. Our position is that central IT 
is responsible for the protection of any research data or institutional data using our 3rd party storage  tools as we 
have documented (note, we do license Cisco cloudlock to examine  data flows outside the enterprise for each service) so 
long as your use your institutional credentials. If you use your personal account or institutional email with your own 
password and have an security issue arise the liability is yours and the university can take action to discipline you, 
such as termination.

The key difference is as long as your use your university account you are protected - we'll give you options for a 
variety of 3rd party storage. Where we separate the products is health care data, in that case we have a BAA with 
Microsoft and Box, but not google.

To answer my own question, we have not had to go after any employees because data from a personal 3rd party storage 
leaked out and was inappropriate. We have been google apps since 2010, Box since 2012, an O365 since 2014.  Saying 
that, I know a number of faculty still use dropbox, which we don't have an enterprise agreement with.  As we look at 
this it is generally their small research group sharing files and we encourage them to move to one of the big three to 
get more storage and better protection.


j

Jack Suess             UMBC VP of IT & CIO
jack () umbc edu<mailto:jack () umbc edu>     1000 Hilltop Circle
410.455.2582          Baltimore Md, 21250



On Fri, Jul 19, 2019 at 2:48 PM King, Ronald A. <raking () nsu edu<mailto:raking () nsu edu>> wrote:
Our AUP states the following is prohibited:
Installing online storage applications, such as OneDrive, Google Drive, or storing University data on online storage.

Note: This restriction does not apply to students and faculty using online storage for academic purposes only, i.e. 
teaching the use of online storage, or sharing class/educational Page 7 of 9 material not containing 
sensitive/protected information.


Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-3918 (Office)
raking () nsu edu<mailto:raking () nsu edu><mailto:raking () nsu edu<mailto:raking () nsu edu>>
www.nsu.edu<http://www.nsu.edu><http://www.nsu.edu>
@NSUCISO (Twitter)

[NSU_logo_horiz_tag_4c - Smaller]


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Keenan Martinez <0000004218ecec53-dmarc-request () LISTSERV EDUCAUSE 
EDU<mailto:0000004218ecec53-dmarc-request () LISTSERV EDUCAUSE EDU>>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
Date: Friday, July 19, 2019 at 8:05 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Policy - Employees using personal storage

Good day,

Can members advise how they treat with employees who use their personal online storage (Gmail, Hotmail, Dropbox, etc) 
to store company files instead of company assigned storage? Is there a policy there would guide the restricted use?

Thanks in advance.

Regards,



Keenan Martinez
Manager -  Information Technology & METS
The Arthur Lok Jack Global School of Business
1, Max Richards Drive, Uriah Butler Highway North West, Mt. Hope. Trinidad & Tobago (UTC -4 hours)
Mt. Hope, Trinidad, W.I.
Tel : (868) 645-6700 ext: 333| (868) 498-0764 | Email : k.martinez () lokjackgsb edu tt<mailto:k.martinez () lokjackgsb 
edu tt>|<mailto:k.martinez () lokjackgsb edu tt<mailto:k.martinez () lokjackgsb edu tt>|> 
www.lokjackgsb.edu.tt<http://www.lokjackgsb.edu.tt><http://www.lokjackgsb.edu.tt/>

[signature_1247171682]


Empowering UWI-ALJGSB to thrive in a digital world

_____________________________________________________________________ Please note that this message and any attachments 
may contain confidential and proprietary material and information and are intended only for the use of the intended 
recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, 
dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received 
this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, 
whether electronic or printed. Thank you.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Policy - Employees using personal storage Keenan Martinez (Jul 19)
- Re: Policy - Employees using personal storage Jerry Tylutki (Jul 19)
- Re: Policy - Employees using personal storage Giacobe, Nick (Jul 19)
- <Possible follow-ups>
- Re: Policy - Employees using personal storage King, Ronald A. (Jul 19)
  - Re: Policy - Employees using personal storage Jimmy Surrett (Jul 19)
  - Re: Policy - Employees using personal storage Jack Suess (Jul 19)
    - Re: Policy - Employees using personal storage Jones, Mark B (Jul 21)
    - Re: Policy - Employees using personal storage Keenan Martinez (Jul 22)
    - Re: Policy - Employees using personal storage King, Ronald A. (Aug 15)