Educause Security Discussion mailing list archives
Re: Confidentiality agreements and IT staff
From: Brian Helman <bhelman () SALEMSTATE EDU>
Date: Thu, 29 Mar 2012 17:30:30 +0000
Agreed. I think their best purpose is to make the employee aware that the data they have at their disposal should be treated carefully. I haven't seen it in a couple years, but in the past we've had employees that didn't realize writing a credit card number on a piece of scrap paper (or having someone email it to you) was a bad idea. Signing an agreement should soften some liability, but regular reminders of the policy as well as technological protections are "must haves" as well. My point was, that we get so focused on 1st degree handlers of the data, that we forget that there is information that all employees work with that needs to be controlled. It's very possible a loading dock person may never realize that giving a student's dorm address out is not permissible. -Brian -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dennis Tracz Sent: Thursday, March 29, 2012 1:14 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Confidentiality agreements and IT staff I hope I have not given the wrong impression. I am a proponent of Confidentiality Agreements, they are useful tools and have a purpose. However, on their own they are not effective. They need to be supplement by additional preventative and detective controls. Dennis -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian Helman Sent: Thursday, March 29, 2012 10:02 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Confidentiality agreements and IT staff I'm not sure I see why all employees wouldn't sign such an agreement (not accounting for any bargaining positions). Granted our friends to the North don't have FERPA, but even mailroom people could potentially disclose private/confidential information. In fact, I'd go a step further and say that a clause should be added to any contract position. -Brian -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dennis Tracz Sent: Thursday, March 29, 2012 11:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Confidentiality agreements and IT staff All of our IT, University Development Office & Research Accounting staff are required to sign a Confidentiality Agreement prior to being granted system access. The rationale here is that by virtue of their position they may be exposed to Confidential Information. This is still a paper based agreement. However, we are looking at combining this with an annual ethics & conflict of interests declaration (hopefully electronic). Personally I think that this on its own does very little to prevent or even deter unauthorized disclosure. It's more of an after the fact C.Y.A for audit/regulatory compliance & or grounds for dismissal. Dennis N. Tracz, CISSP-ISSMP, CISM, CGEIT Director, Information Security & Compliance University of Calgary Office: (403) 220-4010 Cell: (403) 305-4010 ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of David Seidl [dseidl () ND EDU] Sent: Thursday, March 29, 2012 7:18 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Confidentiality agreements and IT staff Folks, I'm curious if you currently require all or most of your IT staff to sign a confidentiality agreement at hire on a recurring basis, and if so, what your reasons for doing so are. We've had one in place for new hires for years, and our business staff has asked if we can dispense with it as a general requirement for all IT staff. I've done a bit of review, and can't find a direct requirement to point to for people who don't have direct compliance related assignments. Thanks in advance for your feedback and comments! David David Seidl, CISSP, GCIH, GPEN Director of Information Security Office of Information Technologies University of Notre Dame Notre Dame, IN 46556 (574) 631-7305 dseidl () nd edu
Current thread:
- Confidentiality agreements and IT staff David Seidl (Mar 29)
- Re: Confidentiality agreements and IT staff Valdis Kletnieks (Mar 29)
- Re: Confidentiality agreements and IT staff Bob Bayn (Mar 29)
- Re: Confidentiality agreements and IT staff Dennis Tracz (Mar 29)
- Re: Confidentiality agreements and IT staff Brian Helman (Mar 29)
- Re: Confidentiality agreements and IT staff Dennis Tracz (Mar 29)
- Re: Confidentiality agreements and IT staff Brian Helman (Mar 29)
- Re: Confidentiality agreements and IT staff Dennis Tracz (Mar 29)
- Re: Confidentiality agreements and IT staff David Seidl (Mar 30)