Educause Security Discussion mailing list archives
Re: Faculty handling of student data
From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Tue, 1 Jul 2008 21:16:56 -0400
Jim: Good point. To date our biggest ID breaches have come through hardcopy loss and not electronic. -Kevin ________________________________ From: The EDUCAUSE Security Constituent Group Listserv on behalf of Jim Dillon Sent: Tue 7/1/2008 5:56 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Faculty handling of student data To add a small bit of fuel to the fire - no one has mentioned yet the analog protection that should accompany the "paper" product (which may in fact still be electronically delivered depending on the ingenuity of the faculty member) that may go home with the instructor. The loss of a paper gradebook that had identifying info on it would be reported no less quickly or vigorously by the local press than the electronic records in question. After years of breaches, laws, and public politicizing the risk equation for the institution may need some re-evaluation, but absent that, I find that "information" security policies tend to not focus on information in all its forms, mostly on electronic info where the loss is (in my favorite phrase) "instantaneous, global, and irreversible." So the potential threat is more limited with paper, but the consequence may quickly appear to have the same consequence. As you draw distinctions/exceptions and evaluate policies there may be good cause to look to non-electronic guidance or the lack thereof in establishing a consistent campus/university policy set. The loss of a stack of term papers or exams with names on them would appear to be as serious a FERPA issue as an electronic loss, albeit with a slightly lower threat potential (say initially a few thousand vs. 3 billion.) I haven't a clue how many assignments get turned in on paper rather than as a Word attachment to an email these days, or how many long-time faculty still expect papers with name/address info on them as they did in the day, but there are bound to be cases. Whether the stolen briefcase or backpack had a laptop or a stack of term papers, the responsibility to protect and the impact of a violation remains it seems to me. I can't count the number of reports I've seen about notebooks being stolen out of cars at the gas station or grocery store. I wonder what the count of briefcases/backpacks left in restrooms, under restaurant tables, or similarly "lost" at the gas station would be? JD -----------University of Colorado-------------- Jim Dillon, CISA, CISSP Program Manager Administrative Systems and Data Services jim.dillon () colorado edu 303-735-5682 -------------------Boulder------------------------ -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Payne, Shirley (scp8b) Sent: Monday, June 30, 2008 3:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Faculty handling of student data We use a "follow the institutional data" approach, i.e. if someone stores the institution's sensitive data on an electronic device or media, he/she must comply with the institution's data protection requirements. It doesn't matter if that individual is a faculty member, staff, student worker, contractor, etc. or if the device/media on which the data are stored is owned by the institution or the individual. Shirley Shirley C. Payne Director, IT Security and Policy University of Virginia -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian Sent: Monday, June 30, 2008 4:13 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Faculty handling of student data I'm trying to draw out whether or not institutions make any kind of exceptions/distinctions for faculty use. For example, we have a large number of adjunct faculty, who do not have dedicated offices/computers. Therefore, it isn't uncommon for them to use their own laptop. Similarly, faculty may have local grade tabulations, or perhaps take a stack of exams home to grade. Thus, we are looking to build our policy around the way that faculty works, yet manage it with reason. A lot of what I see is a sensible approach for staff, but doesn't seem to address the unique needs of faculty.
Current thread:
- Re: Faculty handling of student data Jim Dillon (Jul 01)
- <Possible follow-ups>
- Re: Faculty handling of student data Basgen, Brian (Jul 01)
- Re: Faculty handling of student data Mclaughlin, Kevin (mclaugkl) (Jul 01)
- Re: Faculty handling of student data Jim Dillon (Jul 02)
- Re: Faculty handling of student data Allison Dolan (Jul 07)
- Re: Faculty handling of student data Basgen, Brian (Jul 07)