Educause Security Discussion mailing list archives

Re: Gmail, etc. - Forwarding Email to Personal Accounts!

From: "Mark S. Bruhn" <mbruhn () INDIANA EDU>
Date: Thu, 9 Nov 2006 09:33:24 -0500

It may be less costly, in fact -- if the institution doesn't hold the data,
it cannot be sought by legal orders served on the institution.

We went through that here, because the Indiana open records law has
absolutely no exception for personal email -- that is, someone can ask for
all of the email currently in my IU-provided email mailbox, and we would not
be able to hold back or redact anything (other than those bits which would
be excepted under the very few exceptions that are in the law).

So, when the no-personal-email-exception was confirmed recently, we started
telling everyone that they might want to get themselves an outside account
for their personal email.  What we did NOT say was that the outside email
could constitute a safe haven for business email, because that would have
been, at very least, contrary to the spirit of the law.  On the other hand,
we do not have a stated policy that employees MUST use their IU-provided
email account to transact IU business.

The bigger issue that is adjacent to to the one you identify is collections
of mission-related email stored somewhere else -- if that employee is
terminated or is otherwise unable or unwilling to ship those back to someone
on campus, that could be a real problem.

By the way, we DO have a statement from Student Affairs that official email
to students will be sent to their IU email address, and it is the student's
responsibility to make sure (for situations under their control) that their
email accounts are ready and able to receive that mail.  Inasmuch as we are
starting to contemplate whether we will stay in the student email business,
that will perhaps become an issue.

M.

--
Mark S. Bruhn

Associate Vice President for Telecommunications
Executive Director, REN-ISAC (http://ren-isac.net)
Indiana University

From: David Lundy <dlundy () PACIFIC EDU>
Reply-To: The EDUCAUSE Security Discussion Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
Date: Wed, 8 Nov 2006 15:21:47 -0800
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Gmail, etc. - Forwarding Email to Personal Accounts!

All:
     I not seen anyone else mention it, but the elephant in the room
for us is E-Discovery.  If faculty and staff are allowed to forward
email to a non-university personal account, they will no doubt use that
account for sending official email.  In addition replies to emails sent
from that account could return directly to that account.  We would have
no means of archiving that email which could be a serious and possibly
costly problem if we are sued.  We are looking at archiving
possibilities which would have the requisite search tools, possibly
hosted by a third-party and requiring all official email (faculty and
staff) use the campus email system so the email would be archived.  Is
anyone else dealing with E-Discovery issues?

David Lundy

----
David Lundy
Acting IT Security Officer
University of the Pacific
Stockton, CA 95211
Email: dlundy () pacific edu
Voice: 209-946-3951
Fax: 209-946-2898

"Sadler, Connie" <Connie_Sadler () BROWN EDU> 11/08/06 12:02 PM >>>


Hi, all... we have more and more people (faculty and staff as well as
students) who want to forward their work-related messages, as well as
their personal messages, to one central email account, usually gmail.
Obviously, I am concerned about having potentially sensitive
university
email content sitting on a gmail server. What are you folks doing to
manage these sorts of requests? Are you preventing staff or faculty
from
doing this? If so, how has that worked? We are rapidly moving toward
expectations people have of having all of their messaging funneled to
one place, and while this is certainly convenient, I'm quite concerned
about how we can ensure a reasonable level of security.

Thanks -

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
IT Security Officer
Brown University Box 1885, Providence, RI 02912
Connie_Sadler () Brown edu
Office: 401-863-7266
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB

Current thread:

Re: Gmail, etc. - Forwarding Email to Personal Accounts!, (continued)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Geoff Nathan (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Theresa Semmens (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Ken Connelly (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Pace, Guy (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Parker, Ron (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Theresa M Rowe (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! hokan (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! David Lundy (Nov 08)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Theresa M Rowe (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Geoffrey S. Nathan (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Mark S. Bruhn (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Mike Wiseman (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Steve Schuster (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Theresa M Rowe (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Paul Kendall (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! David Gillett (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Mclaughlin, Kevin L (mclaugkl) (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Theresa M Rowe (Nov 09)
- Re: Gmail, etc. - Forwarding Email to Personal Accounts! Waller, Michael A. (HSC) (Nov 10)