Re: Faculty & Staff E-mail Forwarding to Outside Providers

[Bob Kalal <kalal.1 () OSU EDU>]

A quick poll after reading Frank's note ...

Does your public institution operate under state or local laws, rules,  
or policies that:

- Prohibit the storage of state or institution data or sensitive  
information on non-state/institution or personal computers or devices?

- Require encryption of state or institution data or sensitive  
information during transmission in a non-secured telecommunications  
environment?

Thanks, I'll summarize for the list.

Bob Kalal
Director, IT Policy
THE Ohio State University
On Jan 29, 2009, at 2:58 PM, Moore, Frank wrote:

> Michael,
>
> We are a state University within the Commonwealth of Virginia. The  
> state does not allow Commonwealth data on non-Commonwealth machines.  
> The one possible exception to this is when a vendor needs the data  
> to set up a server we are buying/using. In that case there is a data  
> disclosure (read “breach”) part of the contract. As a result, we do  
> not allow faculty/staff to forward their e-mail to a non Longwood  
> University account.
>
> Thanks,
>
> Frank Moore
>
> F. X. Moore III, Ph.D.
> Vice President and CIO
> Longwood University
> 201 High Street
> Farmville, VA 23909
>
> [voice] 434.395.2034
> [fax]   434.395.2035
>
> moorefx () longwood edu
> http://www.longwood.edu
>
> IITS will never ask for your password in an email.
> Don't ever email your password to anyone!
>
> On 1/29/09 1:01 PM, "Miller, Don C." <donm () UIDAHO EDU> wrote:
>
> Michael, we do allow employees to forward e-mail without assistance  
> from IT (we are using exchange 2003).  There have been forwarding  
> loop issues in the past but as you mention the biggest concern we  
> have, which has not been brought to our counsel, is not only FERPA  
> guidelines but public records requests; record retention/archiving;  
> personnel action, investigation and review; intellectual property  
> rights and control, etc.  We have around 2500 employees and we have  
> to “freeze” accounts for review about 20 times a year and we usually  
> have at least 1 major request to archive records for multiple users.  
> Our administrative procedures manual is vague on the topic other  
> than the ownership of all data (including e-mail) is retained by the  
> institution regardless of where it is stored.
>
> Don Miller
> University of Idaho
>
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU 
> ] On Behalf Of Stanclift, Michael
> Sent: Thursday, January 29, 2009 7:12 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Faculty & Staff E-mail Forwarding to Outside  
> Providers
>
> Just curious how many of you permit employees to forward their work  
> email to non-campus managed email providers. We will periodically  
> setup forwards for them as requested, but have started to wonder if  
> this may be a FERPA violation since students are not aware their  
> information is being released to a third party service, where as if  
> the professor asks them to use a non-campus email, at least they’re  
> aware of it when sending it.
>
> We’ve always disliked the practice because it’s just additional  
> overhead for us and makes it difficult to track down messages sent  
> to people, or recover them if they delete them. But is there a legal  
> reason behind not doing it?
>
>
> Michael Stanclift
> Network Analyst
> Rockhurst University
>
> http://help.rockhurst.edu <http://help.rockhurst.edu/>
> (816) 501-4231