Re: Login Request

["Haselhoff, Brent" <brent.haselhoff () WKU EDU>]

Frank has some good thoughts on the matter.  At WKU, it is against University policy to store sensitive data on mobile 
devices including laptops; when we talk about sensitive data, we are mostly concerned with PII, but FERPA and the very 
little HIPAA data we have are included as well.  We would never give a user a machine that our IT department can’t 
access.

Brent

Brent Haselhoff
Manager, IT Security and Identity Management
brent.haselhoff () wku edu<mailto:brent.haselhoff () wku edu>
270-745-2012

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Frank Barton
Sent: Monday, September 24, 2018 8:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Login Request

Chris, we haven't run into this here, but here are my thoughts on the matter:

1) You are absolutely correct - data should be saved to profile only, so even if someone else did sign in, assuming 
they didn't have administrative access, they couldn't access the data.
2) Full disk encryption - right on, bitlocker or whatever, usually has a PIN/passcode to prevent the computer from even 
being booted by unauthorized folks
3) "No" - if it is a university laptop, "you" (being a representative of the IT Department) need to maintain access to 
the laptop
4) depending on the nature of the data, other controls may be in order (host-based firewall, encrypted folders, etc.)
4.a) If the data is *that* sensitive it probably shouldn't be stored on a laptop that can leave controlled environments
5) Audit trail - set up access logging so that you can prove who has accessed the sensitive data
6) how is this data being backed up?
7) how secure are the user's credentials? MFA?

We have identified certain information on campus, and make sure that it is stored on specific file-shares, for which we 
have access logging enabled specifically so that we have the audit trail of "who has seen this"

Frank

On Mon, Sep 24, 2018 at 9:16 AM Davis, Chris <CDavis () lourdes edu<mailto:CDavis () lourdes edu>> wrote:
We received a request from a user who is concerned about security of his laptop.  He wants us to make it so no one else 
can log into the computer.  He is concerned about the security of sensitive data on the computer.  He is worried that 
someone else could log into the computer and see his data.

I am not the type to make special accommodations for users, especially when there are easy solutions to achieve the 
same results.  Our suggestion is to train him to save data in his profile only and then provide full disk encryption.

Has anyone else run into a situation like this, and how did you resolve it?

Chris


Christopher Davis, Ph.D.
Chief Information Officer
Assistant Professor of Education
Apple Teacher
Lourdes University
6832 Convent Blvd | REH 003P | Sylvania, OH 43560
cdavis () lourdes edu<mailto:cdavis () lourdes edu>

CyberAware – Be aware. Stay Secure!
Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that 
asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security 
numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For 
more information please visit lourdes.edu/cyberaware<http://lourdes.edu/cyberaware>.

CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) 
and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not 
the intended recipient of this message or their agent, or if this message has been addressed to you in error, please 
immediately alert the sender by reply email and then delete this message and any attachments. If you are not the 
intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its 
attachments is strictly prohibited.



--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University