Educause Security Discussion mailing list archives

Re: policy question?

From: "Soldi, Miguel" <MSoldi () UTSYSTEM EDU>
Date: Thu, 4 Nov 2010 15:16:07 -0500

Anand,
Jane and Brad bring up very valid points.  Here is the link to our policy regarding practices for storage of 
Confidential University Data on portable and non-University owned computing devices.  
http://www.utsystem.edu/policy/forms/uts165/Bulletin1_2008.docx

I believe that nowadays  it is impractical to explicitly forbid but you can attempt to manage the reasons why 
confidential data end up in certain devices (an important question that is seldom asked for which convenience should 
not be an easily acceptable answer), who should know about/approve the storage of that data in those devices (addresses 
part of the accountability question), and if the data is going to end up in those devices anyway what safeguards should 
be in place.

I echo Jane's comment that training and awareness (and I would like to add consequences) are key to this issue.  Hope 
this helps.
ms


Miguel Soldi
University of Texas System Information Security Compliance
Office Phone: 512-499-4217
Email: msoldi () utsystem edu



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Rosenthal, Jane E.
Sent: Thursday, November 04, 2010 12:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] policy question?

The rubber meets the road on this topic and it's a difficult one.  For those of you with a policy on Data or Data 
Classification, you may already have the requirements of handling the information in one manner or another (no matter 
what device or equipment is the mechanism for dealing with the information).  The transmission and/or storage required 
for information on a home PC or mobile smartphone may be the key-in these tough economic times.  You can certain do a 
blanket policy for any HIPAA units and possibly some others.

Training and awareness are keys to this issue as well.
_____________________
Jane E. Rosenthal
Director | Privacy Office
The University of Kansas

Voice +1.785.864.9528 | Fax +1.785.864.4463
Email jer () ku edu<mailto:jer () ku edu> | Web http://www.privacy.ku.edu<http://www.privacy.ku.edu/>
________________________________
The information transmitted by this email communication, including any additional pages or attachments, is only for the 
intended recipient and may contain confidential and/or privileged material. Any interception, review, retransmission, 
disclosure, dissemination, or other use and/or taking of any action upon this information by persons or entities other 
than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received 
this communication in error, please contact us immediately at (785) 864-4904, and delete the communication from any 
computer or network system or dispose of the documents as directed. Thank you.
________________________________

From: Brad Judy [mailto:win-hied () BRADJUDY COM]
Sent: Thursday, October 28, 2010 2:51 PM
Subject: Re: policy question?

Be careful with such a policy.  Between research funding and personal funding, a lot of faculty equipment might not 
technically belong to the university.  Just ask a typical research lab what items would move with them if the PI 
decided to move to another university.

Certain types of schools might be able to provide for all faculty needs with institutionally-owned computers and 
equipment, but many would have major problems without "personally owned" items in use.  Not to mention the vast amount 
of university business that is done on personally owned cell phones and smart phones.

Plus, there's the issue of third-party owned equipment on the university network, but that issue has an option of 
contractual security requirements.

Brad Judy

Emory University

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand S 
Malwade
Sent: Thursday, October 28, 2010 3:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] policy question?

I was wondering if other institutions have a general Policy that


a)       explicitly prohibits Employees and administrators from using personal laptops or computing equipment for 
conducting university business ? The Assumption is that they are provided university owned equipment with standard 
images with up to-date security updates and protection.

b)      Prohibits Student Workers/GA's from handling confidential information when working with certain departments.


Thanks,
Anand



Anand Malwade
IT Security
Seton Hall University

Current thread:

Re: policy question?, (continued)
- Re: policy question? SCHALIP, MICHAEL (Oct 28)
  - Re: policy question? Dr. Wole Akpose (Oct 29)
    - Re: policy question? randy marchany (Oct 29)
    - Re: policy question? Joel Rosenblatt (Oct 29)
    - Re: policy question? SCHALIP, MICHAEL (Oct 29)
    - Re: policy question? Bristol, Gary L. (Oct 29)
    - Re: policy question? randy marchany (Oct 29)
    - Re: policy question? Valdis Kletnieks (Oct 29)
- Re: policy question? Brad Judy (Oct 28)
- Re: policy question? Rosenthal, Jane E. (Nov 04)
  - Re: policy question? Soldi, Miguel (Nov 04)