Re:

[David Kovarik <david-kovarik () NORTHWESTERN EDU>]

Kevin - Seems to me that you "found the balance" required, it's just doesn't
happen to be the balance the faculty member wants...
Couple of things to consider...
- Does this FM retain personally identifiable information as defined by law
or UC policy?  Illinois has the Personal Information Protection Act which
defines what is subject to notification in the event of a security breach.
We also have a university policy on handling of SSNs.  Neither require
encryption (though that may change soon) but recommend it as a practice, and
the documents help get their attention.
- Can it be shown that the FM has sensitive data stored on PC? We've used
Cornell's Spider to discover and show where this data resides; helps to
establish the "need" for protection. We have found individuals who thought
they had no data but were shown otherwise - that helped them to adapt to
policy, or at least appreciate the need for compliance. Maybe cut a deal -
if no sensitive data found, no need for encryption; if data is found, get
rid of it or encrypt.
- The FM's dean may be able to provide some assistance, especially where
this is a matter of policy -or- just good sense.
- Assuming data is present, and you have a basis in fact for protecting it
(like policy, regulation or a recent security incident), then I'd suggest
discussing the "noncompliance" position with the provost, and/or human
resources and/or general counsel and/or internal audit and ask for guidance
(I know that our lawyers are not at all keen on having someone in the
university's employ who knowingly places them at risk).  You might consider
asking any/all of them to put their collective support behind a "you will
and will not" statement you'll be happy to draft for them - that might help
sway recalcitrant faculty (or not).  We have not yet had to do this but on a
similar issue, I had one of the attorneys suggest having the non-compliant
party sign a document indicating assumption of risk (never came to pass so I
don't know how that might work out).

After all is said and done, if nobody wants to do anything about it, you can
continue to bang your head against the wall (not recommended) or document
all that you've done and e-mail that to provost/hr/legal/audit and move on -
and hope that this particular FM doesn't get compromised.  Frankly, I'd
rather everyone abide by policy but sometimes there's no convincing people
otherwise.

Good luck!
Dave Kovarik, ISS/C
Northwestern University
Office: (847) 467-5930



________________________________

From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
Sent: Monday, December 17, 2007 11:15 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY]



Hi All:



I am having a bit of a tussle with a faculty member who is on one of the
committees that already approved UC having a Full Disk Encryption Policy.  I
won't overload you with the verbose emails that have gone back and forth but
it seems that his concern is summed up in that he doesn't want a policy for
this as that makes it mandatory and he is making some grandiose blanket
statements about the impact to faculty if we have a Full Disk Encryption
policy in place. (see below)   The policy basically says:  all PCs that
store restricted data (FERPA, HIPAA, GLB, PCI) will be encrypted with PGP's
full disk encryption software at no cost to the individual or department.
This software will be supported, as needed, by Central IT.





Hi Kevin

Encouraging FDE (full disk encryption) is fine.  Mandating it - is not.

Regarding your comment that "My profession is all about Risk mgt and
mitigation".
That is the trouble with the policy.  Faculty teach, do research, etc. The
policy needs to strike a balance. In years past, we had similar discussions
about libraries.  To protect the books, libraries should simply close their
doors. A balance needs to found.

The goal of the policy should be to assist professors to follow the law
while they do their job.







Here's my question:  I have talked about how transparent the tool is, my
team and I have used it for about 6 months now;  I have talked about how as
an adjunct I found it easy to use, and I have talked about how this IS a
tool that allows faculty to do their job and to safeguard information at the
same time.   I have also offered to let him try the tool and he has not
taken me up on that.  The net result I have had is nill.



Have any of you had success with a technique to overcome this type of
obstacle?   I have no doubt that the policy will be approved and moved
forward but I would also like to get this very vocal faculty member's
support if possible.



Thanks,



-Kevin







Kevin L. McLaughlin

CISM, CISSP, PMP, ITIL Master Certified

Director, Information Security

University of Cincinnati

513-556-9177 (w)

513-703-3211 (m)

513-558-ISEC (department)





 UC-Logo-800




CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential,
intended solely for the addressee, and may be legally privileged. Access to
this message and its content by any individual or entity other than those
identified in this message is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of this e-mail may be
unlawful. Any action taken or omitted due to the content of this message is
prohibited and may be unlawful.