Re: Faculty handling of student data

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

Jim:
 
Good point.  To date our biggest ID breaches have come through hardcopy loss and not electronic.
-Kevin
 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Jim Dillon
Sent: Tue 7/1/2008 5:56 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Faculty handling of student data



To add a small bit of fuel to the fire - no one has mentioned yet the
analog protection that should accompany the "paper" product (which may
in fact still be electronically delivered depending on the ingenuity of
the faculty member) that may go home with the instructor.  The loss of a
paper gradebook that had identifying info on it would be reported no
less quickly or vigorously by the local press than the electronic
records in question.

After years of breaches, laws, and public politicizing the risk equation
for the institution may need some re-evaluation, but absent that, I find
that "information" security policies tend to not focus on information in
all its forms, mostly on electronic info where the loss is (in my
favorite phrase) "instantaneous, global, and irreversible."  So the
potential threat is more limited with paper, but the consequence may
quickly appear to have the same consequence.

As you draw distinctions/exceptions and evaluate policies there may be
good cause to look to non-electronic guidance or the lack thereof in
establishing a consistent campus/university policy set.  The loss of a
stack of term papers or exams with names on them would appear to be as
serious a FERPA issue as an electronic loss, albeit with a slightly
lower threat potential (say initially a few thousand vs. 3 billion.)  I
haven't a clue how many assignments get turned in on paper rather than
as a Word attachment to an email these days, or how many long-time
faculty still expect papers with name/address info on them as they did
in the day, but there are bound to be cases.  Whether the stolen
briefcase or backpack had a laptop or a stack of term papers, the
responsibility to protect and the impact of a violation remains it seems
to me.  I can't count the number of reports I've seen about notebooks
being stolen out of cars at the gas station or grocery store.  I wonder
what the count of briefcases/backpacks left in restrooms, under
restaurant tables, or similarly "lost" at the gas station would be?

JD


-----------University of Colorado--------------
Jim Dillon, CISA, CISSP
Program Manager
Administrative Systems and Data Services
jim.dillon () colorado edu        303-735-5682
-------------------Boulder------------------------

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Payne, Shirley
(scp8b)
Sent: Monday, June 30, 2008 3:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Faculty handling of student data

We use a "follow the institutional data" approach, i.e. if someone
stores the institution's sensitive data on an electronic device or
media, he/she must comply with the institution's data protection
requirements. It doesn't matter if that individual is a faculty member,
staff, student worker, contractor, etc. or if the device/media on which
the data are stored is owned by the institution or the individual.

Shirley

Shirley C. Payne
Director, IT Security and Policy
University of Virginia

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Monday, June 30, 2008 4:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Faculty handling of student data

 I'm trying to draw out whether or not institutions make any kind of
exceptions/distinctions for faculty use.

 For example, we have a large number of adjunct faculty, who do not have
dedicated offices/computers. Therefore, it isn't uncommon for them to
use their own laptop. Similarly, faculty may have local grade
tabulations, or perhaps take a stack of exams home to grade. Thus, we
are looking to build our policy around the way that faculty works, yet
manage it with reason. A lot of what I see is a sensible approach for
staff, but doesn't seem to address the unique needs of faculty.