Re: 3rd Party Spam Services & Data Confidentiality

["Mark S. Bruhn" <mbruhn () INDIANA EDU>]

Well, I agree with the other two responses (don't send sensitive data in
unencrypted and unsigned email).

But, whilst you are working hard on fixing that global problem like all the
rest of us (aren't we?), I suggest that you tell this other outfit that this
is an added risk that the institution should avoid.

Are you providing any central/border spam filtering services?

M.


--
Mark S. Bruhn

Associate Vice President for Telecommunications
Executive Director, REN-ISAC (http://ren-isac.net)
Indiana University



> From: Doug Sandford <dsandfor () SEEBECK UA EDU>
> Reply-To: The EDUCAUSE Security Discussion Group Listserv
> <SECURITY () LISTSERV EDUCAUSE EDU>
> Date: Wed, 7 Jun 2006 09:31:13 -0500
> To: <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: [SECURITY] 3rd Party Spam Services & Data Confidentiality
>
> We have a department on campus that, via an MX record, is having all
> their e-mail sent through a third party spam checking service. In the
> absence of an institutional spam appliance or anything similar, we
> understand their reasoning. Don't we all.
> My concern is the integrity and confidentiality of institutional data
> (FERPA related for example) that passes into the hands of these
> services and what they may do with it or who may have access to it.
> What if a piece of mail is quarantined for some reason and it does in
> fact contain sensitive data? Does the institution have liability for
> the confidentiality of that data now that it is on the vendors
> server?
> It's my initial reactive position that, since we forward the mail to
> an internal institutional address initially, that the department
> arranging for the services is responsible for contractual assurances
> with the vendor. This issue raised it's ugly head just yesterday so
> I'm doing some homework before approaching the powers that be with
> possible solutions.
> Any thoughts or success stories are welcome. Lurking vendors please
> be aware my phone rings constantly all ready. ;)
>
> Thanks in advance...
> Doug Sandford
> Information Security Officer
> University of Alabama
> Seebeck Computer Center
> doug () ua edu
>
> This email is intended only for the person to whom it is
> addressed.  Any review or other use of this information by
> persons or entities other than the intended recipient or any
> retransmission without the consent of the sender is prohibited.