Re: Faculty Grant Machines

[Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>]

Zach,

The responsibility comes not from the protection of the machine but rather from the protection of the data that resides 
on the machine.  Any person or device with access to your protected information (I.e. PCI, HIPAA, FERPA, GLBA data) is 
at least considered a "business partner." Because you are legally responsible for the data, you are also responsible 
for any entity or business partner that you permit to access that data.

In short, if you permit access to the data, you are responsible for protecting the information.


Sarah E Stevens
Stevens Technologies, Inc.
(704) 625-8842 x500
--------------------------
Sent from my BlackBerry Wireless Handheld

----- Original Message -----
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Wed Aug 06 11:07:27 2008
Subject: [SECURITY] Faculty Grant Machines

I'm wondering how other schools handle computers purchased by faculty using grant money. Do you require that those 
machines be managed by your security software such as AV, patch management, etc? Do you segregate those from the rest 
of the network and leave them alone? Or do you let faculty do whatever they wish to do with the machines? Does anyone 
know what the institutions responsibility is in the event of a breach of confidential information on grant purchased 
research machines? Any sage advice or information is appreciated. 

Thanks,

Zach




-- 

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550