Educause Security Discussion mailing list archives
Re: [EXTERNAL] Re: [SECURITY] Student employees and access to data
From: Mike Beane <beanem () HUSSON EDU>
Date: Fri, 10 May 2019 11:33:21 -0400
They get a separate email account for work stuff (this is important to
quickly revoke access without interfering with their academics.) Unfortunately, our reslife student employees don’t follow this and I haven’t had any luck in having any enforcement on this. They aren’t hired through HR so it’s an edge case. We're in this category (including RA's). This past academic year was our first run through using a separate account and we've just refined our internal process for the summer session: we have very good buy-in from the departments and we were also able to progress this by applying role based access to the process: this streamlined the request process greatly. Getting in touch with HR early on in the planning to explain the reasoning was essential and as to get their support. We created a sub-domain for their email (@ws.<institution>.edu), the account mirrors their base account information ("ws-"+accountname) and the visual name in the email directory (Google), when active, has "FirstName LastName (Workstudy)" to set it visually aside from the student account. Prior to that, we found that business data would become intertwined with academic data, and separating those are nearly impossible. Additionally, as work studies tend to come and go sometimes, we were able to define a specific time annually when we can disable all work study accounts that have not been renewed for position access (which ends up being tomorrow for us by way of Graduation) into the summer session. Best regards, Mike *Mike Beane* IT Infrastructure Manager *Ph: *207-941-7613 *Husson University* 1 College Circle Bangor ME 04401 On Fri, May 10, 2019 at 10:24 AM James Valente <jvalente () salemstate edu> wrote:
We use a similar strategy as Sherry describes for most of our student workers. -Students in Sensitive areas get security awareness training (diverges from non-student employees, all of which get this training when onboarded) -Students who handle PCI data get annual PCI training as required by PCI-DSS -They get a separate email account for work stuff (this is important to quickly revoke access without interfering with their academics.) Unfortunately, our reslife student employees don’t follow this and I haven’t had any luck in having any enforcement on this. They aren’t hired through HR so it’s an edge case. We’ve been fortunate that our FTEs in sensitive areas that also manage student workers have been great allies to our security program. There’s some gaps in reaching student workers in various academic departments, the library, and so forth but the nature of their work also presents a lot less institutional risk. Thanks, James Valente Associate Director of Information Security Salem State University 978.542.2739 GPG Fingerprint: B086 58B5 DE53 328A 210D 5F3D BF20 1E0A 813A EDD1 *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Pesino, Sherry *Sent:* Friday, 10 May, 2019 10:18 *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [EXTERNAL] Re: [SECURITY] Student employees and access to data *CAUTION:* This email originated from outside of Salem State University. Do not click links or open attachments unless you recognize the sender and know the content is safe. We treat our student employees like traditional employees. They have access to what they need to complete the work they are hired to do. They also must complete the same awareness training and follow the same policies as full time employees and use an official email account for any work related email. Sherry ____________ Sherry Pesino, CISSP Information Security Program Office Connecticut State Colleges and Universities 61 Woodland Street Hartford, CT 06105 860-723-0021 pesinos () ct edu [image: certified-information-systems-security-professional-cissp] *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Pete, Andrew *Sent:* Friday, May 10, 2019 10:12 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Student employees and access to data We have a number of departments that have work study students. I’m curious what other institutions are doing around access to data that may be sensitive whether in hard copy or digital format. What do you allow, what don’t you allow? Why types of policies/procedures do you have in place?
Current thread:
- Student employees and access to data Pete, Andrew (May 10)
- Re: Student employees and access to data Pesino, Sherry (May 10)
- Re: [EXTERNAL] Re: [SECURITY] Student employees and access to data James Valente (May 10)
- Re: [EXTERNAL] Re: [SECURITY] Student employees and access to data Mike Beane (May 10)
- Re: Student employees and access to data King, Ronald A. (May 10)
- Re: [External] Re: [SECURITY] Student employees and access to data Gregg, Christopher S. (May 10)
- Re: Student employees and access to data Linc Nesheim (May 10)
- Re: [EXTERNAL] Re: [SECURITY] Student employees and access to data James Valente (May 10)
- Re: Student employees and access to data Pesino, Sherry (May 10)