Re: Internal Security Breach Costs

[Jack Suess <jack () UMBC EDU>]

I think there are legitimate risks that arise from internal staff and I
know there are a few cases where internal faculty and staff have sold
information illegally.

That said, I would tread lightly here and make sure that you understand
your campus culture. Nothing undermines IT credibility more than proposing
policies that seem to disrespect the role of the faculty. Suggesting that
all your faculty undergo background checks or presenting them with a
statement that their activity can and may be monitored can undermine
support.

What I am trying to do at my institution.

1. I think we should all begin to focus on adding language into our AUP's
around privacy protection. I think adding language that speaks to the
a shared cultural value around protecting the confidentiality of sensitive
information is important and that the institution is taking these steps to
protect the privacy of everyone in the community and each member has a
role to play in achieving that goal.

2. We all have students workers, some have access to sensitive data, we
should develop a data confidentiality agreement for student employees.

3. We all have temporary and contractual workers. Add language on data
confidentiality to your standard employment agreement for contractual
employees.

4. I would add language on data confidentiality into the documents you
have new employees sign when they are hired. At that time they are signing
a lot of material and there is less push-back on this that asking tenured
faculty to sign a pledge that they won't divulge data.

5. We should focus on proactive compliance training around FERPA, GLB, and
HIPAA to those where these existing requirements apply. Making this
available through online training courses is a better way to deploy this
kind of training. Start with training staff in those units directly
impacted and make this a requirement for all new people before they get
access to that type of protected data. Over time you can expand to other
groups.

6. Last, but not least. We have to focus on why we are granting people we
might not trust access to sensitive information. Remember the issue that
happened years ago at the IRS when temporary employees could look up any
persons tax returns and it was divulged they leaked information. We
probably need to rethink data access policies where people or groups get
sensitive information about people. Is access to those data elements
absolutely necessary?


jack suess

On Mon, 21 Nov 2005, Youngquist, Jason R. wrote:

> Speaking of internal security breach costs, what methods are people
> using to try and reduce the threat of an insider or a former employee
> using confidential information for malicious purposes/monetary gain?
>
> Here's a few ideas I have come up with, but I don't know how useful they
> are as a deterrent.  Perform background checks on potential employees
>
>       *       Have a security policy that faculty/staff has to read
>       *       Security awareness training
>       *       Employee monitoring - ie letting
>               employees know that they can and may be monitored.
>
> Also, this list doesn't take into consideration former employees who
> while employed had access to confidential information and could have a
> copy of the data stored at their house.
>
> Thanks.
>
> Jason Youngquist
> ________________________________
>
> From: Geoff Nathan [mailto:geoffnathan () WAYNE EDU]
> Sent: Friday, November 18, 2005 1:27 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Internal Security Breach Costs
>
>
>
> In preparation for presenting a data custodianship policy to the
> powers-that-be here at Wayne I'd like to find a couple of real-life
> examples of problems caused by employee access to sensitive data (it's
> easy to find reports of cases of externally hacked files).  Could anyone
> point me to news reports of internal employee misuse of sensitive data
> at some university?
> Many thanks,
>
> Geoff Nathan
>
>
> Geoffrey S. Nathan <geoffnathan () wayne edu>
> Security Policy Coordinator, Computing and Information Technology,
>         and Associate Professor of English
> Linguistics Program                       Phone Numbers
> Department of English                     Computing and Information
> Technology:  (313) 577-1259
> Wayne State University                    Linguistics (English):  (313)
> 577-8621
> Detroit, MI, 48202                        C&IT Fax: (313) 577-1338