Educause Security Discussion mailing list archives
Re: Policy - Employees using personal storage
From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
Date: Sun, 21 Jul 2019 14:26:20 +0000
+1 This is very close to what we do. Providing sanctioned options is important. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jack Suess Sent: Friday, July 19, 2019 10:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Policy - Employees using personal storage **** EXTERNAL EMAIL **** Ronald, How many faculty or staff have you disciplined for using a personal 3rd party storage service? I ask because it is 1) easy to state you can't do this, and 2) very difficult to actually enforce this. I don't disagree with policy that is a CYA but legally, if you don't enforce your policies you can end up complicit in a violation of policy. Our strategy is we have institutional agreements with Box, google, and microsoft 365. Our position is that central IT is responsible for the protection of any research data or institutional data using our 3rd party storage tools as we have documented (note, we do license Cisco cloudlock to examine data flows outside the enterprise for each service) so long as your use your institutional credentials. If you use your personal account or institutional email with your own password and have an security issue arise the liability is yours and the university can take action to discipline you, such as termination. The key difference is as long as your use your university account you are protected - we'll give you options for a variety of 3rd party storage. Where we separate the products is health care data, in that case we have a BAA with Microsoft and Box, but not google. To answer my own question, we have not had to go after any employees because data from a personal 3rd party storage leaked out and was inappropriate. We have been google apps since 2010, Box since 2012, an O365 since 2014. Saying that, I know a number of faculty still use dropbox, which we don't have an enterprise agreement with. As we look at this it is generally their small research group sharing files and we encourage them to move to one of the big three to get more storage and better protection. j Jack Suess UMBC VP of IT & CIO jack () umbc edu <mailto:jack () umbc edu> 1000 Hilltop Circle 410.455.2582 Baltimore Md, 21250 On Fri, Jul 19, 2019 at 2:48 PM King, Ronald A. <raking () nsu edu <mailto:raking () nsu edu> > wrote: Our AUP states the following is prohibited: Installing online storage applications, such as OneDrive, Google Drive, or storing University data on online storage. Note: This restriction does not apply to students and faculty using online storage for academic purposes only, i.e. teaching the use of online storage, or sharing class/educational Page 7 of 9 material not containing sensitive/protected information. Ronald King Chief Information Security Officer Office of Information Technology (757) 823-3918 (Office) raking () nsu edu <mailto:raking () nsu edu> <mailto:raking () nsu edu <mailto:raking () nsu edu> > www.nsu.edu <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.nsu.edu&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=FpJTbHa7KhEB6LOjzO_-7TwSopB1SglmMFwqClkoPrc&s=Aphr27vJhUlXtBH8KnAxLhqx8wzwP05bo1IsNRc6muM&e=> <http://www.nsu.edu <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.nsu.edu&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=FpJTbHa7KhEB6LOjzO_-7TwSopB1SglmMFwqClkoPrc&s=Aphr27vJhUlXtBH8KnAxLhqx8wzwP05bo1IsNRc6muM&e=>
@NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > on behalf of Keenan Martinez <0000004218ecec53-dmarc-request () LISTSERV EDUCAUSE EDU <mailto:0000004218ecec53-dmarc-request () LISTSERV EDUCAUSE EDU> > Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > Date: Friday, July 19, 2019 at 8:05 AM To: "SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> " <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > Subject: [SECURITY] Policy - Employees using personal storage Good day, Can members advise how they treat with employees who use their personal online storage (Gmail, Hotmail, Dropbox, etc) to store company files instead of company assigned storage? Is there a policy there would guide the restricted use? Thanks in advance. Regards, Keenan Martinez Manager - Information Technology & METS The Arthur Lok Jack Global School of Business 1, Max Richards Drive, Uriah Butler Highway North West, Mt. Hope. Trinidad & Tobago (UTC -4 hours) Mt. Hope, Trinidad, W.I. Tel : (868) 645-6700 ext: 333| (868) 498-0764 | Email : k.martinez () lokjackgsb edu tt <mailto:k.martinez () lokjackgsb edu tt> |<mailto:k.martinez () lokjackgsb edu tt <mailto:k.martinez () lokjackgsb edu tt> |> www.lokjackgsb.edu.tt <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.lokjackgsb.edu.tt&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=FpJTbHa7KhEB6LOjzO_-7TwSopB1SglmMFwqClkoPrc&s=ijI2IFycQfaLbpv9wFgXMuQ4kyLWRiH6o5TQfqBC1v8&e=> <http://www.lokjackgsb.edu.tt/ <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.lokjackgsb.edu.tt_&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=FpJTbHa7KhEB6LOjzO_-7TwSopB1SglmMFwqClkoPrc&s=DvRtlwx4kRX2rKCZJYUXwrWlLqmw3w6jLtY-jJ14dls&e=>
[signature_1247171682] Empowering UWI-ALJGSB to thrive in a digital world _____________________________________________________________________ Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. Thank you.
Attachment:
smime.p7s
Description:
Current thread:
- Policy - Employees using personal storage Keenan Martinez (Jul 19)
- Re: Policy - Employees using personal storage Jerry Tylutki (Jul 19)
- Re: Policy - Employees using personal storage Giacobe, Nick (Jul 19)
- <Possible follow-ups>
- Re: Policy - Employees using personal storage King, Ronald A. (Jul 19)
- Re: Policy - Employees using personal storage Jimmy Surrett (Jul 19)
- Re: Policy - Employees using personal storage Jack Suess (Jul 19)
- Re: Policy - Employees using personal storage Jones, Mark B (Jul 21)
- Re: Policy - Employees using personal storage Keenan Martinez (Jul 22)
- Re: Policy - Employees using personal storage King, Ronald A. (Aug 15)