Re: Faculty personal laptops with FERPA data

[Jerry Tylutki <jtylutki () HAMILTON EDU>]

Our current AUP and Data Class prohibits storing confidential data on
personally owned laptops and devices; which is easier to enforce as we
allocate a device to each faculty and staff member. I could envision two
potential solutions: the first would be to implement an exception process
that includes an exception request being submitted and tracked. This would
require the personally owned device to meet certain security criteria (full
device encryption, antivirus, patching, UAC or equivalent, scanning on a
regular basis, joining the domain(?)) that would effectively meet
controlled endpoint security settings. This would be reviewed (at least)
annually and require the approval of the dean/provost and data owner. The
second solution, and more acceptable (until I think of a better solution
:-), would be to prohibit storing of that information locally and require
secured access through a VPN with MFA enabled to access the information
that is stored remotely on secure, controlled hosts.

Any solution is going to be a challenge to implement with faculty; have
open conversations where you present the security challenge of protecting
the confidentiality/availability/integrity of FERPA-protected data with
your adjunct faculty. It helps both parties to see the problem through the
other perspective: How does this AUP change alter their daily teaching
duties? How does having this data present cause potential security problems
(data breach, legal ramifications, regulatory audits)?

*-------*

*Jerry TylutkiInformation Security Officer*
*Hamilton College*

*(315) 859-4289 -- office*

******The contents of this email are CONFIDENTIAL. If you have received
this email by mistake, please notify the sender and delete the email and
its contents.******


On Mon, Jul 29, 2019 at 12:50 PM Yerk-Zwickl, Sherri <
yerk-zwickl () campbell edu> wrote:

> All,
>
> I have been searching the archives for some info I thought would be pretty
> straightforward, but haven’t found anything recent, so here goes…
>
>
>
> In updating our security policies we are defining information
> classifications that explicitly defines FERPA (and other data) as
> Confidential. Our revised AUP states that Confidential data cannot be
> stored on personal devices/laptops.
>
> We have tons of adjunct faculty that use their own laptops for teaching
> and of course that means FERPA data being stored on those computers.
>
>
>
> How are you dealing with this situation? Clearly we will not be buying all
> these adjuncts laptops so that they are university-owned and managed
> devices.
>
>
>
> Would gratefully accept your advice on how your institutions handle this
> situation…
>
>
>
> Thanks,
>
> Sherri
>
>
>
> *Sherri Yerk-Zwickl*
>
> Associate Vice President for Information Technology and Chief Information
> Officer
>
>
>
> [image: ITS_Horizontal Align - Screen_SYZ]