Educause Security Discussion mailing list archives
Re: Gmail, etc. - Forwarding Email to Personal Accounts!
From: "Pace, Guy" <gpace () CIS CTC EDU>
Date: Wed, 8 Nov 2006 12:51:32 -0800
Connie: Your concerns are justified. This is where you examine your existing policies and maybe start the work on some new ones. The potential for exposure of sensitive (or FERPA-protected) data this way is very real. Geoff points out that sensitive data should be encrypted anyway, but just when do you do that? A tenured faculty is exchanging a series of email with a student discussing grades, class status and other items. While each item in the exchange may not reveal much or be considered sensitive, the whole series of notes collected and exposed on a mail server you have no control over could be devastating. But, if your policy allowed the faculty to forward to gmail or other personal email providers, you are as responsible for the data exposure as the email provider. In addition, what are your policies for data sharing? In our state (private institutions have their own crosses to bear) we are required to execute data sharing agreements when we share data with third parties. If our policy allows staff/faculty/(students?) to forward institution email to third party email hosts, we would have to execute a DSA with each of those providers. From what I've seen so far, none of them could meet the requirements of the standard DSA we use. In a previous life, we had the faculty/staff forward their hotmail or yahoomail or whatever, to their institution email account, instead. There were a number of reasons why it made more sense, then. In addition, we encouraged the students to use their school-provided email for school work. We couldn't guarantee that email they sent to faculty from the free email services would be received, so the only "official" mode was through their school email. It isn't perfect, but it was the policy and it reduced our liability--not just for data exposure. As for Ken's comments about tenured faculty. If you can't develop a policy and expect staff and faculty (tenured or otherwise) to adhere to it, you got bigger problems. Guy L. Pace, CISSP Security Administrator Center for Information Services (CIS) 3101 Northup Way, Suite 100 Bellevue, WA 98004 425-803-9724 gpace () cis ctc edu ________________________________ From: Geoff Nathan [mailto:geoffnathan () WAYNE EDU] Sent: Wednesday, November 08, 2006 12:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Gmail, etc. - Forwarding Email to Personal Accounts! Sadler, Connie wrote: Hi, all... we have more and more people (faculty and staff as well as students) who want to forward their work-related messages, as well as their personal messages, to one central email account, usually gmail. Obviously, I am concerned about having potentially sensitive university email content sitting on a gmail server. What are you folks doing to manage these sorts of requests? Are you preventing staff or faculty from doing this? If so, how has that worked? We are rapidly moving toward expectations people have of having all of their messaging funneled to one place, and while this is certainly convenient, I'm quite concerned about how we can ensure a reasonable level of security. Thanks - We encourage our people to forward their Wayne State e-mail to another account if they regularly use other accounts (i.e. rather than not read our sparkling prose at all), but people shouldn't be sending that kind of sensitive e-mail anyway--or at least not without encrypting it. Not that we've suggested encrypting either... Geoff -- Geoffrey S. Nathan <geoffnathan () wayne edu> <mailto:geoffnathan () wayne edu> Faculty Liaison, Computing and Information Technology,<p> and Associate Professor of English, Linguistics Program<p> Phone Numbers (313) 577-1259 or (313) 577-8621<p> Wayne State University<p> Detroit, MI, 48202
Current thread:
- Gmail, etc. - Forwarding Email to Personal Accounts! Sadler, Connie (Nov 08)
- <Possible follow-ups>
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Geoff Nathan (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Theresa Semmens (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Ken Connelly (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Pace, Guy (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Parker, Ron (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Theresa M Rowe (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! hokan (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! David Lundy (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Theresa M Rowe (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Geoffrey S. Nathan (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Mark S. Bruhn (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Mike Wiseman (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Steve Schuster (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Theresa M Rowe (Nov 09)
(Thread continues...)