Educause Security Discussion mailing list archives

Re: Question about confidential data in emails.


From: Kevin Shalla <kshalla () UCHICAGO EDU>
Date: Wed, 7 Mar 2018 13:16:26 +0000

There’s another aspect of trust. I think it’s useful to think of the security of the channel. While the student may 
trust the Registrar, and the Registrar the student, the channel itself is insecure. Suppose the Registrar’s office was 
closed, and the student taped an envelope to the outside door. Then for the Registrar to act upon this document 
requires the Registrar to trust not only the student, but everyone who walked by the door from closing time yesterday 
until opening time today. If I were the Registrar, I wouldn’t trust it. E-mail security isn’t so good; I would guess 
it’s somewhat similar to the above – usually it doesn’t get messed with, but there’s no guarantee.

Kevin Shalla
Manager of Technology
Campus and Student Life
University of Chicago

From: Frank Barton [mailto:bartonf () HUSSON EDU]
Sent: Tuesday, March 6, 2018 8:28 AM
Subject: Re: Question about confidential data in emails.

Sherry, I would try to "spin" it as an educational opportunity for your students.

while they may trust you, you want to get them in the habit of trying to find secure methods to get data from them to 
anybody that needs the data. Just because they trust you doesn't mean that they should trust... Comfort Inn when they 
ask for credit card information to be emailed to them...

By making your students aware of data security early (and often) it will serve them well as they graduate and move into 
their respective professional careers (doubly so if they are going into a highly regulated field such as healthcare, 
banking, etc.)

We have inbound policies (as described previously) about what to do when messages come in, but we also have outbound 
DLP filters that will reject a message, and indicate secure ways to send the data in the bounce message.

Frank

On Tue, Mar 6, 2018 at 9:14 AM, Pesino, Sherry <SPesino () commnet edu<mailto:SPesino () commnet edu>> wrote:
We have discussed not accepting the emails. This should work for emails received from organizations, like other state 
agencies, (yes some still send confidential data via email) but what if a student sends copies of tax returns or other 
confidential data via email. Most of our registrars and financial aid folks would be reluctant to send it back to a 
student. Not wanting to give the student additional hoops to jump through.

Sherry

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Jones, Mark B
Sent: Tuesday, March 6, 2018 9:00 AM

To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Question about confidential data in emails.

This sounds like what I was trying to say, but Frank did a better job of it.

+1

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank 
Barton
Sent: Tuesday, March 06, 2018 7:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Question about confidential data in emails.

This is actually a question that came up as part of our PCI process.

The 'official' response that we got to our question was that
(a) we should make sure that we indicate not to send [CHD] over email
(b) We should not process anything based on the information we received over email
(c) we should redact and reply that we can't process it based on unencrypted email.
(d) delete the original email

Frank

On Mon, Mar 5, 2018 at 9:16 AM, Austin Bollinger <austinbollinger () grcc edu<mailto:austinbollinger () grcc edu>> 
wrote:
In your Office 365 environment, you may use DLP 
policy<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.office.com_en-2Dus_article_create-2Da-2Ddlp-2Dpolicy-2Dfrom-2Da-2Dtemplate-2D59414438-2D99f5-2D488b-2D975c-2D5023f2254369%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3DuE_O55sBR5xfGS0tcfb-YoynZmNq0SmmSyEOtuVUZ6U%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=fw0cHn5fLE3rNk%2FCbotmM1B3zhQQnsWMmLwxl%2BUhjuI%3D&reserved=0>
 for locating emails containing confidential info.

Then it sounds like you want to delete emails within your 
organization<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.office.com_en-2Dus_article_search-2Dfor-2Dand-2Ddelete-2Demail-2Dmessages-2Din-2Dyour-2Doffice-2D365-2Dorganization-2Dadmin-2Dhelp-2D3526fd06-2Db45f-2D445b-2Daed4-2D5ebd37b3762a%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3D5oDPU_x1Al0RwobmJIYDoTLZV7Vs2gm6oTgemGUenTU%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=ql1KXM7qm64ckh7q7M9px6GuXVtve7HQS%2BxrI0SzC6U%3D&reserved=0>.

Beyond this, you may want an email security gateway solution or service. One vendor that comes to mind is Barracuda, 
there is Essentials for an 
all-in-one<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.barracuda.com_products_essentials%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3DzBVV7ko-GX7hb9co-YI3xuXzlEV7diTg9Tmb1g471UI%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=QZ9j9a1wzMUZm1%2FyIffEQ1b%2F3142p6ixZSuQjKCtoJk%3D&reserved=0>
 supporting Office 365.


Best Regards,
Austin Bollinger
Information Security Analyst
IT at Grand Rapids Community College
(616) 234-2537<tel:(616)%20234-2537>
austinbollinger () grcc edu<mailto:austinbollinger () grcc edu> | 
www.grcc.edu/informationtechnology/informationsecurity<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__www.grcc.edu_informationtechnology_informationsecurity%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3DrdH_guo8WcfDMANpaNgFe5PpYG6VUSTvIR9NnpfAO2Y%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=3XGfdMAE4NvrrkqpwCHVx9i4Z8jLLQ1AKEgUtFV77po%3D&reserved=0>

"Martinez, Brian" <brm () MSU EDU<mailto:brm () MSU EDU>> 3/5/2018 8:21 AM >>>
Why, you’d almost need some sort of… Reverse DLP?!

Seriously though, I realize Mark clarified what he meant, but I did spend a few minutes this morning trying to find if 
something like that existed. How does one prevent themselves from accidentally receiving confidential information? NDA 
was the best answer I could find via Google. But even if you’ve signed one with the vendor, that doesn’t prevent it 
from showing up in your inbox.

Any interesting area of thought though. “Limit your liability by preventing the receiving of confidential data. 
[Buy|Download] our product!” Something cybersecurity insurers will no doubt be working on in just a few years’ time. :)

Cheers!

Brian R. Martinez
Information Security
Michigan State University
Office: +1-517-884-8791<tel:(517)%20884-8791>
brm () msu edu<mailto:brm () msu edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Hudson, Edward
Sent: Monday, March 5, 2018 12:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Question about confidential data in emails.

I am curious how one would do that (Refuse to receive confidential data sent by unencrypted email).

Thanks
Ed


Ed Hudson
Interim Chief Information Security Officer
[/Users/ehudson/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_484909560]
401 Golden 
Shore<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__maps.google.com_-3Fq-3D401-2BGolden-2BShore-2B-250A-2BLong-2BBeach-2C-2BCA-2B90802-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3D6lgsBxQqREse_fmVdYv_0j8H8lOkbpLpKQ72-s5D6bw%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=2l5BP9z6sC6u4CyTHc6UyovKANYyJ4JqD%2BNcH1YSuxI%3D&reserved=0>
Long Beach, CA 
90802<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__maps.google.com_-3Fq-3D401-2BGolden-2BShore-2B-250A-2BLong-2BBeach-2C-2BCA-2B90802-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3D6lgsBxQqREse_fmVdYv_0j8H8lOkbpLpKQ72-s5D6bw%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=2l5BP9z6sC6u4CyTHc6UyovKANYyJ4JqD%2BNcH1YSuxI%3D&reserved=0>
Tel 562-951-8431<tel:(562)%20951-8431>
ehudson () calstate edu<mailto:ehudson () calstate edu>

I subscribe to e-mail classification: i=Information, a=Action, u=Urgent



From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU<mailto:Mark.B.Jones () UTH TMC EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Sunday, March 4, 2018 at 7:51 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Question about confidential data in emails.

I’m not sure if we have a policy for this.
My personal opinion is that such mail should be rejected.  You should refuse to receive confidential data via 
unencrypted email.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pesino, 
Sherry
Sent: Wednesday, February 28, 2018 1:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Question about confidential data in emails.

Looking for some guidance in dealing with confidential data in email.

How do you handle when outside entities send confidential data via email and that email needs to be retained and if 
not, then how is it securely deleted? Saving an email out of an O365 mailbox and deleting an email may not securely 
remove the mail in all forms that Microsoft stores that email in the mailbox. Scrubbing the info from inside an email 
may not fully scrub it.   Just wondering if there are any procedures anyone uses to securely redact/scrub content from 
an email and procedures for handling when confidential data is sent from an outside entity?

Thank you,
Sherry
____________
Sherry Pesino
Information Security Program Office
Connecticut State Colleges and Universities
61 Woodland 
Street<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__maps.google.com_-3Fq-3D61-2BWoodland-2BStreet-2B-250A-2BHartford-2C-2BCT-2B06105-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3Dmktv0_t-OiO84kEq3Oz_-qJAk_tBXT_6d7J9qPtjHdM%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=BdAcN5X10ZtZBtcIhzuNBSSfvUbBfVSfhUig12r2qGw%3D&reserved=0>
Hartford, CT 
06105<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__maps.google.com_-3Fq-3D61-2BWoodland-2BStreet-2B-250A-2BHartford-2C-2BCT-2B06105-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DjgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM%26m%3DYq-PZ_UI19iDnGv9YEJGbDXF_QczWGWBxcnSnZsATrM%26s%3Dmktv0_t-OiO84kEq3Oz_-qJAk_tBXT_6d7J9qPtjHdM%26e%3D&data=02%7C01%7CSPesino%40commnet.edu%7Cea4b0ad05d9941fee30c08d5836a8146%7C679df878277a496aac8dd99e58606dd9%7C0%7C0%7C636559415828792361&sdata=BdAcN5X10ZtZBtcIhzuNBSSfvUbBfVSfhUig12r2qGw%3D&reserved=0>
860-723-0021<tel:(860)%20723-0021>
pesinos () ct edu<mailto:pesinos () ct edu>




--
Frank Barton
Security+, ACMT, MCP
IT Systems Administrator
Husson University



--
Frank Barton
Security+, ACMT, MCP
IT Systems Administrator
Husson University


Current thread: