Educause Security Discussion mailing list archives
Re: Policy language around email and other forms of "official electronic communication" platforms
From: Alex Lindstrom <aglind () UDEL EDU>
Date: Mon, 25 Jan 2021 09:48:45 -0500
Building on the above: We prohibit sensitive data being emailed in cleartext. The first workaround would be to put the data in an encrypted attachment, but that's not the best fix. Usually, if there's a business process that requires routine communication or transfer of sensitive data, we work with the business owner to identify a solution that suits their needs and protects the data at the same time. I'm a firm believer in building security and compliance into easy-to-use solutions; policy directives in the absence of user-friendly options will simply lead to policy violations. E.g.: our clinics needed a secure mechanism for communicating with patients. We ended up using some of the native Outlook and O365 features to create a secure message delivery service where the recipient receives an email notification that a message is available, and the message itself is encrypted and held in a separate portal until the user authenticates. No more PHI in the email itself, encrypted or not. This functionality is baked into some practice management or other systems, and I'd recommend keeping these compliance needs in mind if you're aware of any upcoming RFPs or procurement activity. More holistically speaking, data classification and information security policies need to apply to the entire ecosystem. After all, while email may be the lowest common denominator, many departments have specialized communication tools built into their needs-specific platforms (e.g., CRM, LMS). The best approach I've seen is based on a service catalog keyed to data classification. Some examples of these service catalogs from our peers: - Stanford: https://uit.stanford.edu/guide/riskclassifications#security-approved-services - University of Michigan: https://safecomputing.umich.edu/dataguide/ - Yale: https://cybersecurity.yale.edu/approved-services This covers everything from file storage to collaboration platforms and helps (1) advertise services, (2) reinforce policy, and (3) help users choose compliant tools. The next step from here is proactive business process engineering to ensure that everyone, especially those working with sensitive/regulated data, has compliant and appropriate tools in their workflows. This includes substituting in available options or partnering to procure a new solution (if needed). Best, ----- Alex Lindstrom IT Security Analyst II UDIT Security | Governance, Risk, & Compliance (302) 831-4823 On Fri, Jan 22, 2021 at 4:59 PM Catherine Ullman <cende () buffalo edu> wrote:
Jim, I’d dovetail with Brian’s comments especially about avoiding PII/regulated data in all of these platforms. The reality is that email, generally speaking, is by its very nature not secure –even though there are ways to make it more secure—and these messaging platforms also have risks. Asking people to remember not to send PII to external entities is, IMHO, not practical. For example, you’ll have people who send a message to 3 people internally and one externally, forgetting that they weren’t supposed to do it. Even putting all the bells and whistles of O365 in place, I wouldn’t take that chance. But that’s just my $0.02. Best, Cathy Dr. Catherine J Ullman Senior Information Security Forensic Analyst Information Security Office University at Buffalo cende () buffalo edu *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Martinez, Brian *Sent:* Friday, January 22, 2021 4:50 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Policy language around email and other forms of "official electronic communication" platforms Jim, My two cents: while email may be the “official electronic communication platform” I would tend to stay away from PII being used within it, whether internal or not. Worst case, assuming you have access to such tools (I think it’s built-in at all level of 365(?)), utilize the #encrypt feature in the subject line to encrypt sensitive data. Best case, you find some other more secure medium to act as an intermediary for sending/receiving such data. I’d consider Teams within the same realm as email. The whole idea behind Slack, originally, was to be an “email replacement.” I feel Microsoft really made better progress towards that than Slack did given how heavily Teams ties into the [collaborative] 365 environment. And, of course, during this pandemic, Teams usage has become pervasive. While certainly a separate product from Outlook/Exchange, it is likely assessed similarly (by which I mean the answers on a HECVAT from the Microsoft Teams team would likely be nearly the same answers provided by the Microsoft Mail team). I would think Zoom, Blackboard, and any other products in which you can message should be encompassed in the policy as well, but I would absolutely *not* send anything PII through them and it sounds like your policy would already address that. Shorter answer here: Yes, definitely include other forms of electronic communication in said policy. Regards, Brian R. Martinez Information Security Michigan State University Office: +1-517-884-8791 brm () msu edu *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Bole, Jim A *Sent:* Friday, January 22, 2021 11:54 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Policy language around email and other forms of "official electronic communication" platforms We’re working on an email policy that is mostly focused on making sure everyone knows email is the main official method of communication. There are sections about no expectation of privacy, every has to read their emails, etc. There is a section on using email for sensitive data. We do have a simple data classification standard, but we don’t have clearly defined rules for when email can be used for top-levels of sensitive data (HIPAA, SSNs, etc). I think there should be a distinction between emails sent internally vs externally. We’re an O365 shop and my understanding is that email (and other data such as OneDrive, Teams) within our tenant meets basic encryption requirements for both in-transit and at-rest conditions (outside of the issue of Microsoft having the keys/certs). External email is a qualified “maybe” with some services negotiation secure transport while others don’t. So we can’t guarantee the security/encryption. I’m curious if others agree with this. I’m also looking at added sections for bulk mail, relaying and forwarding. And, I wonder if it makes sense to expand the policy to include other forms of `’official electronic communication.” Is Teams the same as email? What about chat in Blackboard or Zoom? While these may not be used to communicate official university announcements, they are used by student and employees to conduct sanctioned university operations. So for that there should be similar rules about no privacy, sensitive information, inappropriate use, etc. I’m torn on this aspect, so I’d be interested in feedback. Any other suggestions or examples of good policies appreciated. Jim Bole Chief Information Security Officer Information Technology Services University at Albany ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.educause.edu%2Fcommunity__%3B!!HXCxUKc!iOmUgagRsdy4F9Gu_QcjBRylUqOUtLA7jrtZyNQw-0PYS_yOmWiX4fRvd5k%24&data=04%7C01%7Ccende%40buffalo.edu%7Cfd301b10a5784ba9aec308d8bf1f9f5c%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637469490140414280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wA5Fmnsr9B9xKtQbdAFLSCBoRL2rVTh0ScqrLhDm8sg%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccende%40buffalo.edu%7Cfd301b10a5784ba9aec308d8bf1f9f5c%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637469490140424246%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lpaQ5Lb9LiNuFSyIu34Qiiz8Zq%2FOTTDJqKGkZ%2FYK6TM%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Policy language around email and other forms of "official electronic communication" platforms Bole, Jim A (Jan 22)
- Re: Policy language around email and other forms of "official electronic communication" platforms Martinez, Brian (Jan 22)
- Re: Policy language around email and other forms of "official electronic communication" platforms Catherine Ullman (Jan 22)
- Re: Policy language around email and other forms of "official electronic communication" platforms Alex Lindstrom (Jan 25)
- Re: Policy language around email and other forms of "official electronic communication" platforms Catherine Ullman (Jan 22)
- Re: Policy language around email and other forms of "official electronic communication" platforms Martinez, Brian (Jan 22)