Re: Quick Survey - How much of Faculty/Staff directory information is made public? And How?

["Kieper, David" <kieperd () UWGB EDU>]

We make available:

Name, operational title, department, office location, email address, direct telephone, and mailing address.  This is 
the same information we make available in our public printed directory.

The main restriction is that in the web search form (an ASP application), the person has to put in at least a partial 
first and last name, and the number of hits returned to a search is limited to ten.  These restrictions were put in 
place to limit harvesting (after we observed harvesting of email addresses by a local business).


Regards,

David Kieper
Manager, Network and Infrastructure Services
Information Technology Security Officer
Information Services Division
University of Wisconsin - Green Bay                     office: (920) 465-2238
2420 Nicolet Drive                                      fax:    (920) 465-2864
Green Bay, WI  54311-7001   USA                 email:  kieperd () uwgb edu


________________________________
From: James Moore [mailto:jhmiso () RIT EDU]
Sent: Monday, January 14, 2008 3:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Quick Survey - How much of Faculty/Staff directory information is made public? And How?

I am looking to quickly benchmark how much information about faculty and staff is made public.  Our IT department, and 
our web governance group are united in that it should be on the web, because it always has been.  People are not yet 
good at doing syntax like jhmiso (rat - r) rit (dOt) edu, so email address collection engines could certainly gather a 
lot of faculty and staff addresses off of other websites.  Also, for easy navigation, it is arranged by department, so 
the organizational view is public too.  Titles are included.  Direct telephone numbers are included, as are building or 
street address, and often room numbers.

I originally recommended that this be classified "RIT Internal Use Only", and have IP restrictions (on campus use) or a 
requirement to login to get the full information from the Internet.  I have looked at a couple of universities that 
have searches for "People" on their main page, and have found that they often contain all of the same information, and 
sometimes more, except for the departmental organization information.  Since ours is a PDF (and you could find who is 
what, rather than knowing the who, and looking for them) that is another difference.

I am interested in understanding the rational behind classification and presentation of this information.  I am 
interested as well in any stories of why people changed their classification.

Jim

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4208 (lab)
(585) 475-7950 (fax)



"We will have a chance when we are as efficient at communicating information security best practices, as hackers and 
criminals are at sharing attack information"  - Peter Presidio

Confidentiality Notice:  Do the right thing.  If this has the words "Confidential" or "Private" in the subject line, or 
similar language in the email body, or as a label on any attachment, then think.  Do you know me?  Did you expect to 
receive this?  Do you recognize and work with the other addressees?  If not, then you probably received this in error.  
Please, be respectful and courteous, and delete it immediately.  Please, don't forward it to anyone.

Now, wasn't that simple.  Just, if you had made an error in a sensitive email, and I received it, what would you want 
me to do with it?