Re: Do students hold universities accountable for protecting their information?

["Semmens, Theresa" <theresa.semmens () MIAMI EDU>]

Is it possible to do a blog or opinion piece in this thread?

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Pitt, Sharon 
<spitt () UDEL EDU>
Sent: Tuesday, June 12, 2018 9:33:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Do students hold universities accountable for protecting their information?

Great insight from everyone. Is anyone doing direct surveys of students about this question?

Please excuse creative spelling errors and word substitutions
sent from this mobile device.


On Jun 12, 2018, at 10:26 AM, Valerie Vogel <vvogel () EDUCAUSE EDU<mailto:vvogel () EDUCAUSE EDU>> wrote:

Thank you all for such an important discussion!

I wanted to share our latest Featured Topic Guide: Understanding Data Privacy Issues in Higher Education, 
https://www.educause.edu/guides/understanding-data-privacy-issues-in-higher-education<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fguides%2Funderstanding-data-privacy-issues-in-higher-education&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973771027&sdata=nZ5GnI%2FwrPSwCEaZh1Gizv04BM4gQuuic5n5%2FSW2RsU%3D&reserved=0>

We hope you’ll find these resources useful as you consider privacy issues impacting your campus and community members.

Thank you,
Valerie

Valerie Vogel
Senior Manager, Cybersecurity Program

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | twitter: @HEISCouncil | vvogel () educause edu<mailto:vvogel () educause edu>

From: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on 
behalf of Ruth Ginzberg <rginzberg () UWSA EDU<mailto:rginzberg () UWSA EDU>>
Reply-To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Tuesday, June 12, 2018 at 6:02 AM
To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Do students hold universities accountable for protecting their information?

Procurement here:

I think you also need to think about educating your constituents about reading privacy policies, which means reading 
beyond the first couple of paragraphs.

I cannot tell you how many privacy policies I have seen that start out saying, “[Company name] cares about your privacy 
and takes it very seriously…” and then go on to spell out the most egregious violations of users’ privacy (often on 
page 8 or page 33 or some other section much further down in the privacy document than most users will ever read).


Ruth Ginzberg
Sr. I.T. Procurement Specialist
University of Wisconsin System
608-890-3961

Sent from Surface tablet by Mail for Windows 10

________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>>
Sent: Tuesday, June 12, 2018 7:37:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Do students hold universities accountable for protecting their information?

I like Robert's response, and I really like Brad's breakdown of the various ways that 'accountability' can be perceived.

I think the flip question is: Do we hold ourselves accountable for our student's information that we hold?

This is a much harder question to answer. Now we are not only looking at regulations, but also policies, and 
interpretation of policies, and differences between various groups/offices on campus. As IT, I want to say that "yes, 
we as an institution are holding ourselves accountable for student's personal information", but I also know that we 
have multiple layers of DLP, audit trails, and other protective measures in place because we know that mistakes happen, 
humans are only human after all.

Where I can say that we (academic institutions as a whole) are probably not doing as well as we could, is educating our 
students on how best to protect their own information: Malware, social media exposure, how to protect home networks, 
adware, spyware, phishing, etc... we have many layers of protection that we put on the networks and systems that we 
manage, and there is little understanding outside of our offices as to what we do, and why, and how individuals, not 
just organizations, are targets. We have had individual faculty members ask us to present to their class about 
information security, but this is the exception rather than the rule.

How are other schools ensuring that they are educating all students to make sure that they are at least aware of the 
threats against them and their personal information?

Frank

On Tue, Jun 12, 2018 at 7:41 AM, John Ramsey <jramsey () studentclearinghouse org<mailto:jramsey () 
studentclearinghouse org>> wrote:
National Student Clearinghouse provides third party services to many of the universities and colleges.  Many (if not 
most) of your schools are exceptionally diligent in ensuring that we’re protecting your students’ data.  I can say from 
direct interaction with the schools, you do hold us to a high standard for protecting “your” students’ data.  I’d think 
the accountability of third party services might range anywhere from a company that performs transcript services to a 
company that provides cloud services (such as Office 365) or even something where student data is accessible via cloud 
services or mobile devices.  Where I’m going with this is that as a third party, it seems as a results of student’s 
holding universities accountable to protect their data, you’re holding third party services to a high standard to 
ensure you’re accountable to not only the schools but the students and their parents.

John

John Ramsey, Chief Information Security Officer, National Student Clearinghouse
Certified:  CISSP, CISM, PMP, CSSLP, CRISC, CGEIT
2300 Dulles Station Blvd., Suite 220, Herndon, VA 
20171<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaps.google.com%2F%3Fq%3D2300%2BDulles%2BStation%2BBlvd.%2C%2BSuite%2B220%2C%2BHerndon%2C%2BVA%2B20171%26entry%3Dgmail%26source%3Dg&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973771027&sdata=PggXNXwML58J2ne%2FDhsm1XMMtLGcWA%2BGobpGMhwcPfs%3D&reserved=0>
P: 703.742.4428  |   
http://www.studentclearinghouse.org<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.studentclearinghouse.org%2F&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973781031&sdata=ee4gijIHZb9azSuHUyvzEcxczgLiN2QdtOhnO0JEQ9o%3D&reserved=0>
Read the Clearinghouse Today 
Blog<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnscblog.org%2F&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973791039&sdata=rCAjmmNzF5BJwd5l6Ng9Lfxe3pyODV3yUcKXVNGhOyk%3D&reserved=0>

Winner “2016 When Work Works” & “Excellence in Work-Life Balance”

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Brad Judy
Sent: Monday, June 11, 2018 4:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>

Subject: Re: [SECURITY] Do students hold universities accountable for protecting their information?

To summarize some of the points made here (as well as my own thoughts), I think you can pull this together as a 
can/should/do form:


  *   Can (rights) individuals hold institutions accountable (are there supporting laws/policies/etc that set that 
right or expectation?) – Yes, we have some laws in that space (FERPA, HIPAA) and many schools have related policies. 
What individuals “can” do is also evolving with privacy law changes.
  *   Can (capability) individuals hold institutions accountable? – This is much harder to answer and the honest 
response is probably “the vast majority of individuals do not have the capability themselves.” They need assistance to 
understand the laws, gather information, interface with organizations, etc.
  *   Should individuals hold institutions accountable for data security/privacy – Yes, I think it’s good for anyone to 
hold any organization accountable for meeting privacy/security requirements/expectations.

     *   Should all of the responsibility of accountability oversight be on the individual? No, I don’t think so.  One 
of the reasons we have accountability offices and watchdog groups is the challenge of the capability issue.  Even if we 
lower the bar on those challenges, it will likely still remain out of reach for many individuals.

  *   Do individuals hold institutions accountable?  - Sometimes, but it seems pretty infrequent.  I would guess this 
is due to a mix of lack of personal priority/interest and the capability challenge.

At the moment, pushing accountability on privacy often requires assistance from third-parties (non-profits, 
governments, etc.). Some of the movement we see in data privacy and security is putting options/tools into the hands of 
individuals to ask questions not just about “What data do you have about me?” but also “How do you use that data?” and 
“Who have you given that data to?”  Perhaps someday it will be easier for an individual to understand how organizations 
handle your personal data, but for now, this issue is still in a very messy adolescent phase.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 
300<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaps.google.com%2F%3Fq%3D1800%2BGrant%2BStreet%2C%2BSuite%2B300%2B%250D%250ADenver%2C%2BCO%2B%2B80203%2B%250D%250A%2BOffice%3A%2B(303%26entry%3Dgmail%26source%3Dg&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973791039&sdata=hdjLhCEXPWoiJ1YVBn8%2Fcq1%2BZKRlDgX1b5iKS9HTO1o%3D&reserved=0>
Denver, CO  
80203<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaps.google.com%2F%3Fq%3D1800%2BGrant%2BStreet%2C%2BSuite%2B300%2B%250D%250ADenver%2C%2BCO%2B%2B80203%2B%250D%250A%2BOffice%3A%2B(303%26entry%3Dgmail%26source%3Dg&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973801052&sdata=gr2%2FHZAGe2sO2qWmEJXIwU%2BShcIjAhqVJjM0ifbtAqk%3D&reserved=0>
Office: 
(303<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaps.google.com%2F%3Fq%3D1800%2BGrant%2BStreet%2C%2BSuite%2B300%2B%250D%250ADenver%2C%2BCO%2B%2B80203%2B%250D%250A%2BOffice%3A%2B(303%26entry%3Dgmail%26source%3Dg&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973801052&sdata=gr2%2FHZAGe2sO2qWmEJXIwU%2BShcIjAhqVJjM0ifbtAqk%3D&reserved=0>)
 860-4293
Fax: (303) 860-4302
www.cu.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cu.edu%2F&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973811056&sdata=YU%2BFhXyjTazKfWr4t1xN4sqp28eaKVvmr06sg6lGQ98%3D&reserved=0>

<image001.png>



From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of 
Paige Francis <paige () UARK EDU<mailto:paige () UARK EDU>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Monday, June 11, 2018 at 2:10 PM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Do students hold universities accountable for protecting their information?

I’m not sure if they hold us accountable but I do believe they absolutely have that expectation. In addition, with 
FERPA and HIPAA we’re bound to safeguard protected data.

--
Paige Francis
Associate CIO, University of Arkansas
Fayetteville, AR #UARK #GoHogs

Need IT 
Help?<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fits.uark.edu%2F&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973811056&sdata=kvCMscPR0iHekkOVoOz1Fi1hhQuVVMGqUYK7mAScucg%3D&reserved=0>
 | 
Twitter<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FCIOPaige&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973821064&sdata=M8OXIb4ha%2BXTsLv2zlWExZfDwITDEs9CM3M4npZcW7M%3D&reserved=0>
 | 
LinkedIn<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpaigefrancis%2F&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973831077&sdata=khOkMj6yIHwNYtKWjdmpNJ5ZKQfQfC9vNplShh9tzuk%3D&reserved=0>
 | 
Blog<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpaigefrancis%2F&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973831077&sdata=khOkMj6yIHwNYtKWjdmpNJ5ZKQfQfC9vNplShh9tzuk%3D&reserved=0>

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of "McIntosh, Keith" <kmcintosh () RICHMOND EDU<mailto:kmcintosh () RICHMOND EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Monday, June 11, 2018 at 9:07 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Do students hold universities accountable for protecting their information?

Colleagues,

Someone recently asked me the following question and I wondered what you would say.   I believe students and parents 
have reasonable expectations that we are both protecting their information and ensuring privacy.

  Do students hold universities accountable for protecting their information?


Keith W. "Mac" McIntosh
he/his/him<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.mypronouns.org_%26d%3DDwMFAg%26c%3D7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA%26r%3DMiccpEVSKT3DA5jws6edeA%26m%3DxE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E%26s%3D9ZKxtGifiJT_omfG3l59i0uii-6HEcp-4bOI_XeNt58%26e%3D&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973841085&sdata=n7inE9Fp4%2BeZZrn9Yk1r5YnEzvL2LwbjlP71lQDsLhI%3D&reserved=0>
Vice President and Chief Information Officer
Information Services

Jepson Hall G-12
28 Westhampton 
Way<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaps.google.com%2F%3Fq%3D28%2BWesthampton%2BWay%26entry%3Dgmail%26source%3Dg&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973841085&sdata=edyaNZieEL0JmPrVeh2UT8puBI8taIm04G6fo%2BuNw80%3D&reserved=0>
University of Richmond, VA 23173
Office: 804.289.8771
Fax: 804.289.8988
http://is.richmond.edu<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__is.richmond.edu_%26d%3DDwMFAg%26c%3D7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA%26r%3DMiccpEVSKT3DA5jws6edeA%26m%3DxE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E%26s%3D90YlN-N0Ju2PBK4xgYEsTM3k3lRUUnkwKAc-OBTeK-I%26e%3D&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973851094&sdata=NdK%2Bo%2FX9dvbLal3OxJ0e72FK3vCkhSHg5QUlFsYeOQE%3D&reserved=0>

Email: kmcintosh () richmond 
edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fkmcintosh%40richmond.edu&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973861098&sdata=ynq%2FncyKHVlCPpDeaXhS2502a7TPgf2Bc6waDV84iXg%3D&reserved=0>
Twitter: 
@<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__twitter.com_Keith-5FMcIntosh%26d%3DDwMFAg%26c%3D7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA%26r%3DMiccpEVSKT3DA5jws6edeA%26m%3DxE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E%26s%3Di_IyoJXiAP-3SUHk3zFgcVFLCwKMzDYy-9FVM8y16mQ%26e%3D&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973861098&sdata=qEHx42oGGvVxYOH2naEi2huFPJ3Fn209q2uX%2B7nUipE%3D&reserved=0>Keith_McIntosh<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__twitter.com_Keith-5FMcIntosh%26d%3DDwMFAg%26c%3D7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA%26r%3DMiccpEVSKT3DA5jws6edeA%26m%3DxE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E%26s%3Di_IyoJXiAP-3SUHk3zFgcVFLCwKMzDYy-9FVM8y16mQ%26e%3D&data=02%7C01%7Ctheresa.semmens%40MIAMI.EDU%7Ca7568de7bfc346d4978108d5d0716dd2%7C2a144b72f23942d48c0e6f0f17c48e33%7C0%7C0%7C636644107973871106&sdata=UO3eew1B%2FYBZvvqUIEaD13XXkf%2FOiHRrZAoGZDP%2FaH8%3D&reserved=0>


=======================================================

This message has been analyzed by Deep Discovery Email Inspector.





--
Frank Barton
Security+, ACMT, MCP
IT Systems Administrator
Husson University