Mitigating the Risk of Privacy Breaches in the Home Office

[Bryce Cunningham <bcunningham () COLLEGES-FENWAY ORG>]

For obvious reasons, cybersecurity safeguards in the home office are increasing in importance as our schools rapidly 
adjust to a new business environment where working at home is no longer the exception. This is an additional concern 
for institutions that may not be able to provision endpoints for all staff. The more apparent mitigation is schools 
developing and publishing  security baselines for employees who work on personally-owned computers (anti-malware, VPN, 
encryption, minimum O/S type and version, software updates, et al.). That’s sensible and necessary, but we must also 
consider the less obvious data loss vector of family, friends, contractors, etc., viewing PII on an employee’s computer 
in the home office. Regardless of how unlikely we think this would occur – or how likely an employee would report to us 
such an incident – it could still be a privacy breach depending on the jurisdiction of the institution and the 
residency and/or nationality of the person’s whose privacy was breached. I see three controls to mitigate this: Privacy 
screens, password-enabled screen saver with idle activation, and a policy for accessing digital PII off campus. Please 
comment if you can think of other controls to mitigate this specific risk… or have an opinion on the necessity of such 
controls.

Bryce Cunningham, MS, CISM, CISSP
Information Security Officer
Colleges of the Fenway
(ISO for Wentworth Institute of Technology and Mass College of Art and Design)
Email: bcunningham () colleges-fenway org<mailto:bcunningham () colleges-fenway org>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community