Educause Security Discussion mailing list archives
Re: Information on Public website
From: "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Date: Mon, 23 Nov 2009 18:27:21 -0500
OK, I'm studying for the CISSP, and one of the test questions is exactly this topic, with the correct answer (for the test) being "the company directory should be unavailable to the public in any form." And that's fine for the private sector where the biggest concerns involves (or at least used to) having their talent stolen, or unionized, and unsolicited sales. I'm not certain that control aligns with the mission of Higher Ed, but this is where management weighs the perceived risk and then makes an informed decision. I guess they should also consider the increased risk of social engineering. If I know who works where, it makes it easier to gain trust. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Amber Weishaar Sent: Monday, November 23, 2009 3:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Information on Public website We have a searchable contact directory available on our public website. Visitors must enter at least three letters of an individual's last name for results to be shown *unless* the user's last name is only two characters. Then, only exact two-letter last name matches are shown. Each person is able to change his/her preferences for which pieces of information are shown to the public and which are shown via our authenticated portal. Amber -- Amber Weishaar Director of Web Services University of Indianapolis (317) 788-3239 http://www.uindy.edu On Nov 23, 2009, at 3:36 PM, Emery Rudolph wrote:
Its one thing to publish department information, but quite another to publish an individual employees information and title. The problem arises when spammers, vendors, head hunters, etc have free reign to contact anyone at will. This is more than annoying to the employee, because there is no filter from these types of contacts. While some employees may conceivably benefit from such exposure (academic advisors) other, behind the scenes employees (system administrators) would be inconvenienced by students seeking classroom assistance, when they should be routing those issues directly to their professors. Very Best Regards, Emery Rudolph Director, Systems Management University of Maryland University College 301-985-7447 http://www.umuc.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Schaffer Sent: Monday, November 23, 2009 2:53 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Information on Public website At some point there has to be some method for persons/entities outside a university to contact persons within. I don't really see any problem with the publication of directory information such as this. Remember that Accessibility is also an important part of information security... Greg -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand S Malwade Sent: Monday, November 23, 2009 1:48 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Information on Public website I was curious to know what other Institution's policy is regarding publishing Administrative Staff and faculty information on the University's Public website. The information includes Name, Title, Phone #, Location and Division. I my opinion this should be placed behind an authenticated portal as it maybe be used for Social engineering attacks. Does anyone see potential privacy concerns ? Any other opinions ? Thanks Anand Seton Hall University.
Current thread:
- Information on Public website Anand S Malwade (Nov 23)
- <Possible follow-ups>
- Re: Information on Public website Greg Schaffer (Nov 23)
- Re: Information on Public website Moore, Frank (Nov 23)
- Re: Information on Public website Pete Hickey (Nov 23)
- Re: Information on Public website Greg Schaffer (Nov 23)
- Re: Information on Public website Hugh Burley (Nov 23)
- Re: Information on Public website Emery Rudolph (Nov 23)
- Re: Information on Public website Amber Weishaar (Nov 23)
- Re: Information on Public website Brian Epstein (Nov 23)
- Re: Information on Public website Sarazen, Daniel (Nov 23)
- Re: Information on Public website John Ladwig (Nov 23)