Re: Gmail, etc. - Forwarding Email to Personal Accounts!

[Paul Kendall <PKendall () ACCUDATASYSTEMS COM>]

There is another aspect of this issue to consider. I just completed an
engagement with a client whose employees did this very thing. I
contacted a couple of corporate lawyers regarding how discovery requests
might be affected by the knowledge that employees transferred mail to
other accounts (home computers, Netscape, gmail, etc.). The response was
simple: in many cases, the discovery request would be extended to
include all those systems, which could include home computers, third
party service providers, etc. It would depend largely upon the nature of
the case, but if it was considered relevant, it would likely be as
far-reaching as possible in order to gather potential evidence.
 
plk
 
========================================
Dr. Paul L. Kendall, CHS-III, CISM, CISSP
Senior Security Consultant
Accudata Systems, Inc.
320 Decker Drive
Irving, TX 75062
(817) 496-6450 Office
(877) 832-6013 FAX
(713) 446-5259 Cell
(281) 897-5000 Corporate Office
(281) 897-5001 Corporate FAX
 
 

________________________________

From: Steve Schuster [mailto:sjs74 () CORNELL EDU] 
Sent: Thursday, November 09, 2006 8:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Gmail, etc. - Forwarding Email to Personal
Accounts!


We're also trying to think this through.  As a matter of fact, we're
currently stepping back to try to consider what getting a more formal
relationship with Google might mean to us -- ASU has a pretty compelling
story with respect to their move to Google. 

> From my perspective, I'd rather no one use e-mail for university
sensitive data no matter where the data sits.  We're trying to take some
more aggressive steps to provide better protection of university data
overall but particularly trying to ensure we don't use mail for such
information.  If we were to be successful then I wouldn't care where the
mail flies.  I know for a fact, however, that we will never be
completely successful here so I'm left asking, if we were to enter into
an agreement with Google, MSN or some other such company who has more
security resources, who has more to lose and who has the better
security.

Good luck,
sjs

Steve Schuster
Director, IT Security Office
Cornell University
sjs74 () cornell edu




On Nov 8, 2006, at 3:02 PM, Sadler, Connie wrote:



        Hi, all... we have more and more people (faculty and staff as
well as students) who want to forward their work-related messages, as
well as their personal messages, to one central email account, usually
gmail. Obviously, I am concerned about having potentially sensitive
university email content sitting on a gmail server. What are you folks
doing to manage these sorts of requests? Are you preventing staff or
faculty from doing this? If so, how has that worked? We are rapidly
moving toward expectations people have of having all of their messaging
funneled to one place, and while this is certainly convenient, I'm quite
concerned about how we can ensure a reasonable level of security.

        Thanks - 

        Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC 
        IT Security Officer
        Brown University Box 1885, Providence, RI 02912
        Connie_Sadler () Brown edu <mailto:Connie_Sadler () Brown edu> 
        Office: 401-863-7266
        PGP Key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
<http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB> 
        PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3
8EFB