Educause Security Discussion mailing list archives

Re: Mitigating the Risk of Privacy Breaches in the Home Office

From: Bryce Cunningham <bcunningham () COLLEGES-FENWAY ORG>
Date: Tue, 17 Mar 2020 15:18:20 +0000

Thanks for sending that NIST document. It doesn't directly address my concern of shoulder surfing or viewing of 
unattended screens displaying PII in the home office, but it is a useful general quick reference.
-Bryce

On 3/16/20, 14:04, "Blake Brown" <Blake.Brown () MHCC EDU> wrote:

    NIST has provided a good fact sheet for end users on this topic.
    
    ~Blake
    
    
    
    On 3/16/20, 10:54 AM, "The EDUCAUSE Security Community Group Listserv on behalf of Laura Raderman" <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of lraderman () CMU EDU> wrote:
    
        External Email
        
        Making sure that the employee has either their own computer (ie, no one else has access to it), or if on a 
shared computer, that each person has their own username/password that meet whatever guidance you have on password 
composition.
        
        Laura Raderman
        ISO Policy & Compliance Coordinator
        Carnegie Mellon University
        lraderman () cmu edu
        
        > On Mar 16, 2020, at 1:50 PM, Bryce Cunningham <bcunningham () COLLEGES-FENWAY ORG> wrote:
        > 
        > For obvious reasons, cybersecurity safeguards in the home office are increasing in importance as our schools 
rapidly adjust to a new business environment where working at home is no longer the exception. This is an additional 
concern for institutions that may not be able to provision endpoints for all staff. The more apparent mitigation is 
schools developing and publishing  security baselines for employees who work on personally-owned computers 
(anti-malware, VPN, encryption, minimum O/S type and version, software updates, et al.). That’s sensible and necessary, 
but we must also consider the less obvious data loss vector of family, friends, contractors, etc., viewing PII on an 
employee’s computer in the home office. Regardless of how unlikely we think this would occur – or how likely an 
employee would report to us such an incident – it could still be a privacy breach depending on the jurisdiction of the 
institution and the residency and/or nationality of the person’s whose privacy was breached. I see three controls to 
mitigate this: Privacy screens, password-enabled screen saver with idle activation, and a policy for accessing digital 
PII off campus. Please comment if you can think of other controls to mitigate this specific risk… or have an opinion on 
the necessity of such controls.
        >  
        > Bryce Cunningham, MS, CISM, CISSP
        > Information Security Officer
        > Colleges of the Fenway
        > (ISO for Wentworth Institute of Technology and Mass College of Art and Design)
        > Email: bcunningham () colleges-fenway org
        >  
        > **********
        > Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only 
to the person who sent the message, copy and paste their email address and forward the email reply. Additional 
participation and subscription information can be found at https://www.educause.edu/community
        > 
        
        
        **********
        Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to 
the person who sent the message, copy and paste their email address and forward the email reply. Additional 
participation and subscription information can be found at https://www.educause.edu/community
        
    
    
    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
    


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Mitigating the Risk of Privacy Breaches in the Home Office Bryce Cunningham (Mar 16)
- Re: Mitigating the Risk of Privacy Breaches in the Home Office Laura Raderman (Mar 16)
  - Re: Mitigating the Risk of Privacy Breaches in the Home Office Blake Brown (Mar 16)
- <Possible follow-ups>
- Re: Mitigating the Risk of Privacy Breaches in the Home Office Bryce Cunningham (Mar 17)