Educause Security Discussion mailing list archives

Re: Policy - Employees using personal storage

From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
Date: Sun, 21 Jul 2019 14:26:20 +0000

+1



This is very close to what we do.  Providing sanctioned options is important.



From: The EDUCAUSE Security Community Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jack Suess
Sent: Friday, July 19, 2019 10:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Policy - Employees using personal storage



**** EXTERNAL EMAIL ****

Ronald,



How many faculty or staff  have you disciplined for using a personal 3rd party 
storage service?



I ask because it is 1) easy to state you can't do this, and 2) very difficult 
to actually enforce this. I don't disagree with policy that is a CYA but 
legally, if you don't enforce your policies you can end up complicit in a 
violation of policy.



Our strategy is we have institutional agreements with Box, google, and 
microsoft 365. Our position is that central IT is responsible for the 
protection of any research data or institutional data using our 3rd party 
storage  tools as we have documented (note, we do license Cisco cloudlock to 
examine  data flows outside the enterprise for each service) so long as your 
use your institutional credentials. If you use your personal account or 
institutional email with your own password and have an security issue arise 
the liability is yours and the university can take action to discipline you, 
such as termination.



The key difference is as long as your use your university account you are 
protected - we'll give you options for a variety of 3rd party storage. Where 
we separate the products is health care data, in that case we have a BAA with 
Microsoft and Box, but not google.



To answer my own question, we have not had to go after any employees because 
data from a personal 3rd party storage leaked out and was inappropriate. We 
have been google apps since 2010, Box since 2012, an O365 since 2014.  Saying 
that, I know a number of faculty still use dropbox, which we don't have an 
enterprise agreement with.  As we look at this it is generally their small 
research group sharing files and we encourage them to move to one of the big 
three to get more storage and better protection.





j



Jack Suess             UMBC VP of IT & CIO
jack () umbc edu <mailto:jack () umbc edu>      1000 Hilltop Circle
410.455.2582          Baltimore Md, 21250







On Fri, Jul 19, 2019 at 2:48 PM King, Ronald A. <raking () nsu edu 
<mailto:raking () nsu edu> > wrote:

Our AUP states the following is prohibited:
Installing online storage applications, such as OneDrive, Google Drive, or 
storing University data on online storage.

Note: This restriction does not apply to students and faculty using online 
storage for academic purposes only, i.e. teaching the use of online storage, 
or sharing class/educational Page 7 of 9 material not containing 
sensitive/protected information.


Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-3918 (Office)
raking () nsu edu <mailto:raking () nsu edu> <mailto:raking () nsu edu 
<mailto:raking () nsu edu> >
www.nsu.edu 
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.nsu.edu&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=FpJTbHa7KhEB6LOjzO_-7TwSopB1SglmMFwqClkoPrc&s=Aphr27vJhUlXtBH8KnAxLhqx8wzwP05bo1IsNRc6muM&e=>
 
<http://www.nsu.edu 
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.nsu.edu&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=FpJTbHa7KhEB6LOjzO_-7TwSopB1SglmMFwqClkoPrc&s=Aphr27vJhUlXtBH8KnAxLhqx8wzwP05bo1IsNRc6muM&e=>

@NSUCISO (Twitter)

[NSU_logo_horiz_tag_4c - Smaller]


From: The EDUCAUSE Security Community Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > on 
behalf of Keenan Martinez 
<0000004218ecec53-dmarc-request () LISTSERV EDUCAUSE EDU 
<mailto:0000004218ecec53-dmarc-request () LISTSERV EDUCAUSE EDU> >
Reply-To: The EDUCAUSE Security Community Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> >
Date: Friday, July 19, 2019 at 8:05 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> " 
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> >
Subject: [SECURITY] Policy - Employees using personal storage

Good day,

Can members advise how they treat with employees who use their personal online 
storage (Gmail, Hotmail, Dropbox, etc) to store company files instead of 
company assigned storage? Is there a policy there would guide the restricted 
use?

Thanks in advance.

Regards,



Keenan Martinez
Manager -  Information Technology & METS
The Arthur Lok Jack Global School of Business
1, Max Richards Drive, Uriah Butler Highway North West, Mt. Hope. Trinidad & 
Tobago (UTC -4 hours)
Mt. Hope, Trinidad, W.I.
Tel : (868) 645-6700 ext: 333| (868) 498-0764 | Email : 
k.martinez () lokjackgsb edu tt <mailto:k.martinez () lokjackgsb edu tt> 
|<mailto:k.martinez () lokjackgsb edu tt <mailto:k.martinez () lokjackgsb edu tt> |> 
www.lokjackgsb.edu.tt 
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.lokjackgsb.edu.tt&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=FpJTbHa7KhEB6LOjzO_-7TwSopB1SglmMFwqClkoPrc&s=ijI2IFycQfaLbpv9wFgXMuQ4kyLWRiH6o5TQfqBC1v8&e=>
 
<http://www.lokjackgsb.edu.tt/ 
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.lokjackgsb.edu.tt_&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=FpJTbHa7KhEB6LOjzO_-7TwSopB1SglmMFwqClkoPrc&s=DvRtlwx4kRX2rKCZJYUXwrWlLqmw3w6jLtY-jJ14dls&e=>


[signature_1247171682]


Empowering UWI-ALJGSB to thrive in a digital world

_____________________________________________________________________ Please 
note that this message and any attachments may contain confidential and 
proprietary material and information and are intended only for the use of the 
intended recipient(s). If you are not the intended recipient, you are hereby 
notified that any review, use, disclosure, dissemination, distribution or 
copying of this message and any attachments is strictly prohibited. If you 
have received this email in error, please immediately notify the sender and 
destroy this e-mail and any attachments and all copies, whether electronic or 
printed. Thank you.

Attachment: smime.p7s
Description:

Current thread:

Policy - Employees using personal storage Keenan Martinez (Jul 19)
- Re: Policy - Employees using personal storage Jerry Tylutki (Jul 19)
- Re: Policy - Employees using personal storage Giacobe, Nick (Jul 19)
- <Possible follow-ups>
- Re: Policy - Employees using personal storage King, Ronald A. (Jul 19)
  - Re: Policy - Employees using personal storage Jimmy Surrett (Jul 19)
  - Re: Policy - Employees using personal storage Jack Suess (Jul 19)
    - Re: Policy - Employees using personal storage Jones, Mark B (Jul 21)
    - Re: Policy - Employees using personal storage Keenan Martinez (Jul 22)
    - Re: Policy - Employees using personal storage King, Ronald A. (Aug 15)