Educause Security Discussion mailing list archives
Re: Faculty personal laptops with FERPA data
From: Jerry Tylutki <jtylutki () HAMILTON EDU>
Date: Mon, 29 Jul 2019 13:38:48 -0400
Our current AUP and Data Class prohibits storing confidential data on personally owned laptops and devices; which is easier to enforce as we allocate a device to each faculty and staff member. I could envision two potential solutions: the first would be to implement an exception process that includes an exception request being submitted and tracked. This would require the personally owned device to meet certain security criteria (full device encryption, antivirus, patching, UAC or equivalent, scanning on a regular basis, joining the domain(?)) that would effectively meet controlled endpoint security settings. This would be reviewed (at least) annually and require the approval of the dean/provost and data owner. The second solution, and more acceptable (until I think of a better solution :-), would be to prohibit storing of that information locally and require secured access through a VPN with MFA enabled to access the information that is stored remotely on secure, controlled hosts. Any solution is going to be a challenge to implement with faculty; have open conversations where you present the security challenge of protecting the confidentiality/availability/integrity of FERPA-protected data with your adjunct faculty. It helps both parties to see the problem through the other perspective: How does this AUP change alter their daily teaching duties? How does having this data present cause potential security problems (data breach, legal ramifications, regulatory audits)? *-------* *Jerry TylutkiInformation Security Officer* *Hamilton College* *(315) 859-4289 -- office* ******The contents of this email are CONFIDENTIAL. If you have received this email by mistake, please notify the sender and delete the email and its contents.****** On Mon, Jul 29, 2019 at 12:50 PM Yerk-Zwickl, Sherri < yerk-zwickl () campbell edu> wrote:
All, I have been searching the archives for some info I thought would be pretty straightforward, but haven’t found anything recent, so here goes… In updating our security policies we are defining information classifications that explicitly defines FERPA (and other data) as Confidential. Our revised AUP states that Confidential data cannot be stored on personal devices/laptops. We have tons of adjunct faculty that use their own laptops for teaching and of course that means FERPA data being stored on those computers. How are you dealing with this situation? Clearly we will not be buying all these adjuncts laptops so that they are university-owned and managed devices. Would gratefully accept your advice on how your institutions handle this situation… Thanks, Sherri *Sherri Yerk-Zwickl* Associate Vice President for Information Technology and Chief Information Officer [image: ITS_Horizontal Align - Screen_SYZ]
Current thread:
- Faculty personal laptops with FERPA data Yerk-Zwickl, Sherri (Jul 29)
- Re: Faculty personal laptops with FERPA data Jerry Tylutki (Jul 29)
- Re: Faculty personal laptops with FERPA data Joel McKenzie (Jul 29)
- Re: Faculty personal laptops with FERPA data David Escalante (Jul 29)