Re: Policy language around email and other forms of "official electronic communication" platforms

[Alex Lindstrom <aglind () UDEL EDU>]

Building on the above:

We prohibit sensitive data being emailed in cleartext. The first workaround
would be to put the data in an encrypted attachment, but that's not the
best fix.

Usually, if there's a business process that requires routine communication
or transfer of sensitive data, we work with the business owner to identify
a solution that suits their needs and protects the data at the same time.
I'm a firm believer in building security and compliance into easy-to-use
solutions; policy directives in the absence of user-friendly options will
simply lead to policy violations.

E.g.: our clinics needed a secure mechanism for communicating with
patients. We ended up using some of the native Outlook and O365 features to
create a secure message delivery service where the recipient receives an
email notification that a message is available, and the message itself is
encrypted and held in a separate portal until the user authenticates. No
more PHI in the email itself, encrypted or not. This functionality is baked
into some practice management or other systems, and I'd recommend keeping
these compliance needs in mind if you're aware of any upcoming RFPs or
procurement activity.



More holistically speaking, data classification and information security
policies need to apply to the entire ecosystem. After all, while email may
be the lowest common denominator, many departments have specialized
communication tools built into their needs-specific platforms (e.g., CRM,
LMS).

The best approach I've seen is based on a service catalog keyed to data
classification. Some examples of these service catalogs from our peers:

   - Stanford:
   https://uit.stanford.edu/guide/riskclassifications#security-approved-services
   - University of Michigan: https://safecomputing.umich.edu/dataguide/
   - Yale: https://cybersecurity.yale.edu/approved-services

This covers everything from file storage to collaboration platforms and
helps (1) advertise services, (2) reinforce policy, and (3) help users
choose compliant tools.

The next step from here is proactive business process engineering to ensure
that everyone, especially those working with sensitive/regulated data, has
compliant and appropriate tools in their workflows. This includes
substituting in available options or partnering to procure a new solution
(if needed).

Best,
-----

Alex Lindstrom

IT Security Analyst II
UDIT Security | Governance, Risk, & Compliance

(302) 831-4823


On Fri, Jan 22, 2021 at 4:59 PM Catherine Ullman <cende () buffalo edu> wrote:

> Jim,
>
>
>
> I’d dovetail with Brian’s comments especially about avoiding PII/regulated
> data in all of these platforms.  The reality is that email, generally
> speaking, is by its very nature not secure –even though there are ways to
> make it more secure—and these messaging platforms also have risks.  Asking
> people to remember not to send PII to external entities is, IMHO, not
> practical.  For example, you’ll have people who send a message to 3 people
> internally and one externally, forgetting that they weren’t supposed to do
> it.  Even putting all the bells and whistles of O365 in place, I wouldn’t
> take that chance.  But that’s just my $0.02.
>
>
>
> Best,
>
> Cathy
>
>
>
>
>
> Dr. Catherine J Ullman
>
> Senior Information Security Forensic Analyst
>
> Information Security Office
>
> University at Buffalo
>
> cende () buffalo edu
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Martinez, Brian
> *Sent:* Friday, January 22, 2021 4:50 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Policy language around email and other forms of
> "official electronic communication" platforms
>
>
>
> Jim,
>
>
>
> My two cents: while email may be the “official electronic communication
> platform” I would tend to stay away from PII being used within it, whether
> internal or not. Worst case, assuming you have access to such tools (I
> think it’s built-in at all level of 365(?)), utilize the #encrypt feature
> in the subject line to encrypt sensitive data. Best case, you find some
> other more secure medium to act as an intermediary for sending/receiving
> such data.
>
>
>
> I’d consider Teams within the same realm as email. The whole idea behind
> Slack, originally, was to be an “email replacement.” I feel Microsoft
> really made better progress towards that than Slack did given how heavily
> Teams ties into the [collaborative] 365 environment. And, of course, during
> this pandemic, Teams usage has become pervasive. While certainly a separate
> product from Outlook/Exchange, it is likely assessed similarly (by which I
> mean the answers on a HECVAT from the Microsoft Teams team would likely be
> nearly the same answers provided by the Microsoft Mail team). I would think
> Zoom, Blackboard, and any other products in which you can message should be
> encompassed in the policy as well, but I would absolutely *not* send
> anything PII through them and it sounds like your policy would already
> address that. Shorter answer here: Yes, definitely include other forms of
> electronic communication in said policy.
>
>
>
> Regards,
>
>
>
> Brian R. Martinez
>
> Information Security
>
> Michigan State University
>
> Office: +1-517-884-8791
>
> brm () msu edu
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Bole, Jim A
> *Sent:* Friday, January 22, 2021 11:54 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Policy language around email and other forms of
> "official electronic communication" platforms
>
>
>
> We’re working on an email policy that is mostly focused on making sure
> everyone knows email is the main official method of communication. There
> are sections about no expectation of privacy, every has to read their
> emails, etc.
>
>
>
> There is a section on using email for sensitive data. We do have a simple
> data classification standard, but we don’t have clearly defined rules for
> when email can be used for top-levels of sensitive data (HIPAA, SSNs, etc).
>
>
>
> I think there should be a distinction between emails sent internally vs
> externally. We’re an O365 shop and my understanding is that email (and
> other data such as OneDrive, Teams) within our tenant meets basic
> encryption requirements for both in-transit and at-rest conditions (outside
> of the issue of Microsoft having the keys/certs). External email is a
> qualified “maybe” with some services negotiation secure transport while
> others don’t. So we can’t guarantee the security/encryption.
>
>
>
> I’m curious if others agree with this.
>
>
>
> I’m also looking at added sections for bulk mail, relaying and forwarding.
>
>
>
> And, I wonder if it makes sense to expand the policy to include other
> forms of `’official electronic communication.” Is Teams the same as email?
> What about chat in Blackboard or Zoom? While these may not be used to
> communicate official university announcements, they are used by student and
> employees to conduct sanctioned university operations. So for that there
> should be similar rules about no privacy, sensitive information,
> inappropriate use, etc. I’m torn on this aspect, so I’d be interested in
> feedback.
>
>
>
> Any other suggestions or examples of good policies appreciated.
>
>
>
>
>
> Jim Bole
>
> Chief Information Security Officer
>
> Information Technology Services
>
> University at Albany
>
>
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.educause.edu%2Fcommunity__%3B!!HXCxUKc!iOmUgagRsdy4F9Gu_QcjBRylUqOUtLA7jrtZyNQw-0PYS_yOmWiX4fRvd5k%24&data=04%7C01%7Ccende%40buffalo.edu%7Cfd301b10a5784ba9aec308d8bf1f9f5c%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637469490140414280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wA5Fmnsr9B9xKtQbdAFLSCBoRL2rVTh0ScqrLhDm8sg%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccende%40buffalo.edu%7Cfd301b10a5784ba9aec308d8bf1f9f5c%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637469490140424246%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lpaQ5Lb9LiNuFSyIu34Qiiz8Zq%2FOTTDJqKGkZ%2FYK6TM%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community