Re: Gmail, etc. - Forwarding Email to Personal Accounts!

["Pace, Guy" <gpace () CIS CTC EDU>]

Connie: Your concerns are justified. This is where you examine your
existing policies and maybe start the work on some new ones. The
potential for exposure of sensitive (or FERPA-protected) data this way
is very real. Geoff points out that sensitive data should be encrypted
anyway, but just when do you do that? A tenured faculty is exchanging a
series of email with a student discussing grades, class status and other
items. While each item in the exchange may not reveal much or be
considered sensitive, the whole series of notes collected and exposed on
a mail server you have no control over could be devastating. But, if
your policy allowed the faculty to forward to gmail or other personal
email providers, you are as responsible for the data exposure as the
email provider.
 
In addition, what are your policies for data sharing? In our state
(private institutions have their own crosses to bear) we are required to
execute data sharing agreements when we share data with third parties.
If our policy allows staff/faculty/(students?) to forward institution
email to third party email hosts, we would have to execute a DSA with
each of those providers. From what I've seen so far, none of them could
meet the requirements of the standard DSA we use.
 
In a previous life, we had the faculty/staff forward their hotmail or
yahoomail or whatever, to their institution email account, instead.
There were a number of reasons why it made more sense, then. In
addition, we encouraged the students to use their school-provided email
for school work. We couldn't guarantee that email they sent to faculty
from the free email services would be received, so the only "official"
mode was through their school email.
 
It isn't perfect, but it was the policy and it reduced our
liability--not just for data exposure.
 
As for Ken's comments about tenured faculty. If you can't develop a
policy and expect staff and faculty (tenured or otherwise) to adhere to
it, you got bigger problems.

Guy L. Pace, CISSP 
Security Administrator 
Center for Information Services (CIS) 
3101 Northup Way, Suite 100 
Bellevue, WA 98004 
425-803-9724 

gpace () cis ctc edu 

 

________________________________

From: Geoff Nathan [mailto:geoffnathan () WAYNE EDU] 
Sent: Wednesday, November 08, 2006 12:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Gmail, etc. - Forwarding Email to Personal
Accounts!


Sadler, Connie wrote: 


        Hi, all... we have more and more people (faculty and staff as
well as students) who want to forward their work-related messages, as
well as their personal messages, to one central email account, usually
gmail. Obviously, I am concerned about having potentially sensitive
university email content sitting on a gmail server. What are you folks
doing to manage these sorts of requests? Are you preventing staff or
faculty from doing this? If so, how has that worked? We are rapidly
moving toward expectations people have of having all of their messaging
funneled to one place, and while this is certainly convenient, I'm quite
concerned about how we can ensure a reasonable level of security.

        Thanks - 

We encourage our people to forward their Wayne State e-mail to another
account if they regularly use other accounts (i.e. rather than not read
our sparkling prose at all), but people shouldn't be sending that kind
of sensitive e-mail anyway--or at least not without encrypting it.  Not
that we've suggested encrypting either...

Geoff

-- 
Geoffrey S. Nathan <geoffnathan () wayne edu>
<mailto:geoffnathan () wayne edu> 

Faculty Liaison, Computing and Information Technology,<p>
and Associate Professor of English, Linguistics Program<p>
Phone Numbers (313) 577-1259 or (313) 577-8621<p>
Wayne State University<p>
Detroit, MI, 48202