Educause Security Discussion mailing list archives
Re: Minimum DLP rules & thresholds for all users
From: "Jim A. Bole" <jbole () STEVENSON EDU>
Date: Wed, 11 Nov 2020 16:31:09 +0000
Thanks Jeff and Ken for your feedback. Sounds like we're in the same boat: IT leading from the middle. The recent Educause QuickPoll on risk, privacy and compliance re-emphasized some points I've been trying to make about have others outside of IT involved in data governance. I'll be interested in the results. Jim -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jeff Choo Sent: Monday, November 9, 2020 2:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: Minimum DLP rules & thresholds for all users This email originated from outside of Stevenson University. Use caution with links or attachments unless you know the content is safe. Hi Jim 1. We are in Office 365 environment so we use the built-in DLP feature to set up a blanket standard DLP policy across all users under the same domain. We then make an exception for individuals who tends to handle a lot of PII or FERPA related data with external partners such as our HR dept or Registrar Dept so they don't have to report for rule exceptions every time. 2. We use the standard templates in Office 365 that cover HIPAA, FERPA, GLBA, and PII against all emails going outside of the domain. 3. We are a small college like yours so the decisions are usually made/recommended by a few key stakeholders, and then approved by the executive sponsor(s). In the DLP case - the decisions are made by me/IT Office and then approved by my boss VP of Finance and Operations. Regards Jeff Choo Director of Information Technology, Information Security Officer William James College 1 Wells Avenue, Newton MA, 02459 E: Jeff_Choo () williamjames edu O: (857) 299-7243 W: https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.williamjames.edu%2F&data=04%7C01%7Cjbole%40STEVENSON.EDU%7C9a3c60176f33407253c408d884e76fb4%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637405476910487425%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OQK52cUADDbNNQvr6T1jipyEYlREHEe2LjSDw%2FkOYVw%3D&reserved=0 -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole Sent: Monday, November 9, 2020 1:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Minimum DLP rules & thresholds for all users I would like to get some feedback from folks that have deployed a DLP solution: 1. What are the minimum rules and thresholds you've applied across your org to all/most users, as opposed to more granular rules you may have applied to specific groups requiring increased security/privacy? 2. Since SSN is often regarded as a key piece of PII, what rules/thresholds have you applied for SSNs and what regulatory criteria supports it (FERPA, GLBA, GDPR, etc.) 3. What person or group is responsible for establishing DLP policy parameters, IT, Privacy Office, Legal, etc.? I'm especially interested in small/medium private institutions like mine who don't have as heavy of a compliance burden as larger, public ones. Many thanks. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fwww.educause.edu%252fcommunity%26c%3DE%2C1%2CSITlAtM8Ptm90sbN_UgGLEAPq06yWwsd6p7htMivNgNgVH5rK3hM4FdcYTzZgeUbWheLCN3-p5l2UMCfMaJAffz-jyC8MPBy8Wj8ECKDDlVY%26typo%3D1&data=04%7C01%7Cjbole%40STEVENSON.EDU%7C9a3c60176f33407253c408d884e76fb4%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637405476910497420%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OXBcNYBI3TBNp9Ts6E63%2Be3mMDnBC2lJFNIOnXwStiM%3D&reserved=0 This message may contain confidential information intended only for the individual named. If you received this message by mistake, please let the sender know by e-mail reply and delete it from your system. If you are not the intended recipient you are hereby notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjbole%40STEVENSON.EDU%7C9a3c60176f33407253c408d884e76fb4%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637405476910497420%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=W59IjSj9k3zlW%2BLM6VkpjuDvPRG%2FTNHSHvB4YzdteCE%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Minimum DLP rules & thresholds for all users Jim A. Bole (Nov 09)
- Re: Minimum DLP rules & thresholds for all users Ken Munro (Nov 09)
- Re: Minimum DLP rules & thresholds for all users Jeff Choo (Nov 09)
- Re: Minimum DLP rules & thresholds for all users Jim A. Bole (Nov 11)