Educause Security Discussion mailing list archives
Re: Internal Security Breach Costs
From: Jack Suess <jack () UMBC EDU>
Date: Tue, 22 Nov 2005 19:40:59 -0500
I think there are legitimate risks that arise from internal staff and I know there are a few cases where internal faculty and staff have sold information illegally. That said, I would tread lightly here and make sure that you understand your campus culture. Nothing undermines IT credibility more than proposing policies that seem to disrespect the role of the faculty. Suggesting that all your faculty undergo background checks or presenting them with a statement that their activity can and may be monitored can undermine support. What I am trying to do at my institution. 1. I think we should all begin to focus on adding language into our AUP's around privacy protection. I think adding language that speaks to the a shared cultural value around protecting the confidentiality of sensitive information is important and that the institution is taking these steps to protect the privacy of everyone in the community and each member has a role to play in achieving that goal. 2. We all have students workers, some have access to sensitive data, we should develop a data confidentiality agreement for student employees. 3. We all have temporary and contractual workers. Add language on data confidentiality to your standard employment agreement for contractual employees. 4. I would add language on data confidentiality into the documents you have new employees sign when they are hired. At that time they are signing a lot of material and there is less push-back on this that asking tenured faculty to sign a pledge that they won't divulge data. 5. We should focus on proactive compliance training around FERPA, GLB, and HIPAA to those where these existing requirements apply. Making this available through online training courses is a better way to deploy this kind of training. Start with training staff in those units directly impacted and make this a requirement for all new people before they get access to that type of protected data. Over time you can expand to other groups. 6. Last, but not least. We have to focus on why we are granting people we might not trust access to sensitive information. Remember the issue that happened years ago at the IRS when temporary employees could look up any persons tax returns and it was divulged they leaked information. We probably need to rethink data access policies where people or groups get sensitive information about people. Is access to those data elements absolutely necessary? jack suess On Mon, 21 Nov 2005, Youngquist, Jason R. wrote:
Speaking of internal security breach costs, what methods are people using to try and reduce the threat of an insider or a former employee using confidential information for malicious purposes/monetary gain? Here's a few ideas I have come up with, but I don't know how useful they are as a deterrent. Perform background checks on potential employees * Have a security policy that faculty/staff has to read * Security awareness training * Employee monitoring - ie letting employees know that they can and may be monitored. Also, this list doesn't take into consideration former employees who while employed had access to confidential information and could have a copy of the data stored at their house. Thanks. Jason Youngquist ________________________________ From: Geoff Nathan [mailto:geoffnathan () WAYNE EDU] Sent: Friday, November 18, 2005 1:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Internal Security Breach Costs In preparation for presenting a data custodianship policy to the powers-that-be here at Wayne I'd like to find a couple of real-life examples of problems caused by employee access to sensitive data (it's easy to find reports of cases of externally hacked files). Could anyone point me to news reports of internal employee misuse of sensitive data at some university? Many thanks, Geoff Nathan Geoffrey S. Nathan <geoffnathan () wayne edu> Security Policy Coordinator, Computing and Information Technology, and Associate Professor of English Linguistics Program Phone Numbers Department of English Computing and Information Technology: (313) 577-1259 Wayne State University Linguistics (English): (313) 577-8621 Detroit, MI, 48202 C&IT Fax: (313) 577-1338
Current thread:
- Internal Security Breach Costs Geoff Nathan (Nov 18)
- <Possible follow-ups>
- Re: Internal Security Breach Costs George Bailey (Nov 18)
- Re: Internal Security Breach Costs Richard Gambrell (Nov 19)
- Re: Internal Security Breach Costs Youngquist, Jason R. (Nov 21)
- Re: Internal Security Breach Costs William Moore (Nov 21)
- Re: Internal Security Breach Costs Jack Suess (Nov 22)