Re: Personal Email and other Services

[Jeff Choo <jeff_choo () WILLIAMJAMES EDU>]

Hi Petrus,

Generally, we don't allow it.  All institution businesses have to be on a college sanctioned/supported platform.  
Full-disclosure, we are an office 365 shop.  We do make exceptions case by case when requested to allow the use of 
services like Dropbox or google if:

1.       Clear ownership is established (who will be in charge of managing this service)

2.       After evaluating the purpose, the type of contents, and the reason for using such service, that we deem it has 
a low security and compliance risk.

3.       An admin account is created to allow the IT office to manage the service if needed (and for 
assessment/monitoring)

4.       An "understanding" document is signed that the owners who are responsible for the service understand the 
restrictions and potential risks.

5.       IT Office reserves the right to terminate the use of such service at any given time if any violation of the 
"understanding" and/or any other security compliance is detected on such service/platform.

6.       Annual review on whether to renew the service contract and re-evaluate if the original reasons for using such 
service are still valid.  If the reasons are no longer valid (i.e. we now have the technology/infrastructure to do what 
wasn't available in the past) - we will give the owners a time to migrate to a recommended/supported system and then 
terminate the service.

After I explained this policy to people - most have opted to use a supported system.
Hope this helps!

Regards
Jeff


"A problem well put is half solved." - John Dewey

Jeff Choo - Director, Information Technology | Information Security Officer
William James College
One Wells Avenue, Newton, MA 02459
Helpdesk: 617-327-6777 x1600
Direct: 617-564-9344
Email: jeff_choo () williamjames edu



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Petrus Williams
Sent: Thursday, May 2, 2019 1:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Personal Email and other Services

Due to the influx of new software developers ( many from Higher Education Institutions) we are being asked to relax our 
policy about not using personal services ( email, dropbox, google, git etc.) for storing or conducting institution 
business.  The main reason for our current policy is that those work products are considered belonging to the 
institution and as such when you leave the institution we want to make sure that the work product stays with us ( of 
course there is no guarantee that a copy won't make it out in some form or fashion but that's another topic). There are 
also security concerns ( personal email services maybe hosted under someone's desk at home!). There are some rumblings 
that these restrictions are too limiting for this new crop of developers.

So I ask. At your institutions what is the general policy on conducting Institution business using personal services ( 
email, dropbox, git etc.). Thanks for your feedback

Thanks,

Petrus Williams
J. Paul Getty Trust
Assistant Director GDI Infrastructure & Operations
Phone 310-440-6397

This message may contain confidential information intended only for the individual named. If you received this message 
by mistake, please let the sender know by e-mail reply and delete it from your system. If you are not the intended 
recipient you are hereby notified that disclosing, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited.