Re: Information on Public website

["Sarazen, Daniel" <dsarazen () UMASSP EDU>]

OK, I'm studying for the CISSP, and one of the test questions is exactly
this topic, with the correct answer (for the test) being "the company
directory should be unavailable to the public in any form." 

And that's fine for the private sector where the biggest concerns
involves (or at least used to) having their talent stolen, or unionized,
and unsolicited sales. I'm not certain that control aligns with the
mission of Higher Ed, but this is where management weighs the perceived
risk and then makes an informed decision. 

I guess they should also consider the increased risk of social
engineering. If I know who works where, it makes it easier to gain
trust. 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Amber Weishaar
Sent: Monday, November 23, 2009 3:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Information on Public website

We have a searchable contact directory available on our public  
website. Visitors must enter at least three letters of an individual's  
last name for results to be shown *unless* the user's last name is  
only two characters. Then, only exact two-letter last name matches are  
shown.

Each person is able to change his/her preferences for which pieces of  
information are shown to the public and which are shown via our  
authenticated portal.

Amber
--
Amber Weishaar
Director of Web Services
University of Indianapolis
(317) 788-3239
http://www.uindy.edu

On Nov 23, 2009, at 3:36 PM, Emery Rudolph wrote:

> Its one thing to publish department information, but quite another to
> publish an individual employees information and title. The problem
> arises when spammers, vendors, head hunters, etc have free reign to
> contact anyone at will. This is more than annoying to the employee,
> because there is no filter from these types of contacts.
>
> While some employees may conceivably benefit from such exposure
> (academic advisors) other, behind the scenes employees (system
> administrators) would be inconvenienced by students seeking classroom
> assistance, when they should be routing those issues directly to their
> professors.
>
>
> Very Best Regards,
>
> Emery Rudolph
> Director, Systems Management
> University of Maryland University College
> 301-985-7447
> http://www.umuc.edu
>
>
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Schaffer
> Sent: Monday, November 23, 2009 2:53 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Information on Public website
>
> At some point there has to be some method for persons/entities  
> outside a
> university to contact persons within.  I don't really see any problem
> with
> the publication of directory information such as this.  Remember that
> Accessibility is also an important part of information security...
>
> Greg
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand S Malwade
> Sent: Monday, November 23, 2009 1:48 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Information on Public website
>
> I was curious to know what other Institution's policy is regarding
> publishing Administrative Staff and faculty information on the
> University's
> Public website. The information includes Name, Title, Phone #,  
> Location
> and
> Division.
>
> I my opinion this should be placed behind an authenticated portal as  
> it
> maybe be used for Social engineering attacks. Does anyone see  
> potential
> privacy concerns ? Any other opinions ?
>
> Thanks
>
> Anand
>
> Seton Hall University.