Educause Security Discussion mailing list archives
Re: Login Request
From: "Haselhoff, Brent" <brent.haselhoff () WKU EDU>
Date: Mon, 24 Sep 2018 13:47:50 +0000
Frank has some good thoughts on the matter. At WKU, it is against University policy to store sensitive data on mobile devices including laptops; when we talk about sensitive data, we are mostly concerned with PII, but FERPA and the very little HIPAA data we have are included as well. We would never give a user a machine that our IT department can’t access. Brent Brent Haselhoff Manager, IT Security and Identity Management brent.haselhoff () wku edu<mailto:brent.haselhoff () wku edu> 270-745-2012 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Frank Barton Sent: Monday, September 24, 2018 8:26 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Login Request Chris, we haven't run into this here, but here are my thoughts on the matter: 1) You are absolutely correct - data should be saved to profile only, so even if someone else did sign in, assuming they didn't have administrative access, they couldn't access the data. 2) Full disk encryption - right on, bitlocker or whatever, usually has a PIN/passcode to prevent the computer from even being booted by unauthorized folks 3) "No" - if it is a university laptop, "you" (being a representative of the IT Department) need to maintain access to the laptop 4) depending on the nature of the data, other controls may be in order (host-based firewall, encrypted folders, etc.) 4.a) If the data is *that* sensitive it probably shouldn't be stored on a laptop that can leave controlled environments 5) Audit trail - set up access logging so that you can prove who has accessed the sensitive data 6) how is this data being backed up? 7) how secure are the user's credentials? MFA? We have identified certain information on campus, and make sure that it is stored on specific file-shares, for which we have access logging enabled specifically so that we have the audit trail of "who has seen this" Frank On Mon, Sep 24, 2018 at 9:16 AM Davis, Chris <CDavis () lourdes edu<mailto:CDavis () lourdes edu>> wrote: We received a request from a user who is concerned about security of his laptop. He wants us to make it so no one else can log into the computer. He is concerned about the security of sensitive data on the computer. He is worried that someone else could log into the computer and see his data. I am not the type to make special accommodations for users, especially when there are easy solutions to achieve the same results. Our suggestion is to train him to save data in his profile only and then provide full disk encryption. Has anyone else run into a situation like this, and how did you resolve it? Chris Christopher Davis, Ph.D. Chief Information Officer Assistant Professor of Education Apple Teacher Lourdes University 6832 Convent Blvd | REH 003P | Sylvania, OH 43560 cdavis () lourdes edu<mailto:cdavis () lourdes edu> CyberAware – Be aware. Stay Secure! Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For more information please visit lourdes.edu/cyberaware<http://lourdes.edu/cyberaware>. CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University
Current thread:
- Login Request Davis, Chris (Sep 24)
- Re: Login Request Frank Barton (Sep 24)
- Re: Login Request Haselhoff, Brent (Sep 24)
- Re: Login Request Jackson, William (Sep 24)
- Re: Login Request Thomas Carter (Sep 24)
- Re: [External Sender] Re: [SECURITY] Login Request Davis, Chris (Sep 24)
- Re: [External Sender] Re: [SECURITY] Login Request Thomas Carter (Sep 24)
- Re: [External Sender] Re: [SECURITY] Login Request Davis, Chris (Sep 24)
- Re: Login Request Frank Barton (Sep 24)