Re:

[Sam Stelfox <sstelfox () VTC VSC EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I agree, a lot of faculty and staff don't understand that a large number
of the files they work with are sensitive information. Some are aware
that they have it, they just don't consider it sensitive. Other cases
are caches for programs that are used to access the sensitive data. In
this case I can understand  why the faculty/staff member wouldn't be
aware of it.

A random audit policy on computers would be a good thing to have in
addition to an encryption policy. There are other benefits as well. We
had a faculty member lose a laptop but not report it for several months,
when they finally reported it we had to assemble our security response
team. The guy found it that afternoon, but the point is a random audit
would also help you see "missing" equipment possibly before it is reported.

- --

                                - Sam Stelfox

Harold Winshel wrote:
> Our experience is that faculty and staff almost universally don't think
> they have sensitive data but usually do.
>
> The way we look at full disk encryption is that, in the event that a
> notebook is stolen or misplaced, we don't need to worry about whether
> there was or wasn't sensitive data on it. Our understanding is that full
> disk encryption would negate that as an issue and it would not need to
> be a reportable event.
>
>
> At 12:36 PM 12/17/2007, Gary Dobbins wrote:
> > Maybe this is too flippant, maybe not, depending on your environment,
> > but isn’t it all about the data?  If the person doesn’t handle any
> > protected or sensitive data then they may not need encryption.
> >  
> > So, if he doesn’t want to encrypt, no problem, he just can’t have any
> > of the above data on his system.
> > Maybe that’s a practical option for him; to just use a kiosk or a
> > co-worker for submitting student grades.
> >  
> > After all, encryption is to cover the case where University or
> > protected data fall out of his control along with the machine.  If
> > they’re not in his possession, the machine is just a toaster – buy a
> > new one if lost.
> >  
> > See, I knew it would sound flip…
> >  
> >  
> >  
> > *From:* Mclaughlin, Kevin (mclaugkl) [ mailto:mclaugkl () UCMAIL UC EDU]
> > *Sent:* Monday, December 17, 2007 12:15 PM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* [SECURITY]
> >  
> > Hi All:
> >  
> > I am having a bit of a tussle with a faculty member who is on one of
> > the committees that already approved UC having a Full Disk Encryption
> > Policy.  I won’t overload you with the verbose emails that have gone
> > back and forth but it seems that his concern is summed up in that he
> > doesn’t want a policy for this as that makes it mandatory and he is
> > making some grandiose blanket statements about the impact to faculty
> > if we have a Full Disk Encryption policy in place. (see below)   The
> > policy basically says:  all PCs that store restricted data (FERPA,
> > HIPAA, GLB, PCI) will be encrypted with PGP’s full disk encryption
> > software at no cost to the individual or department. This software
> > will be supported, as needed, by Central IT.  
> >  
> >  
> > Hi Kevin
> >
> > Encouraging FDE (full disk encryption) is fine.  Mandating it ­ is not.  
> >
> > Regarding your comment that “My profession is all about Risk mgt and
> > mitigation”.
> > That is the trouble with the policy.  Faculty teach, do research, etc.
> > The policy needs to strike a balance. In years past, we had similar
> > discussions about libraries.  To protect the books, libraries should
> > simply close their doors. A balance needs to found.
> >
> > The goal of the policy should be to assist professors to follow the
> > law while they do their job.
> >  
> >  
> > Here’s my question:  I have talked about how transparent the tool is,
> > my team and I have used it for about 6 months now;  I have talked
> > about how as an adjunct I found it easy to use, and I have talked
> > about how this *_IS_* a tool that allows faculty to do their job and
> > to safeguard information at the same time.   I have also offered to
> > let him try the tool and he has not taken me up on that.  The net
> > result I have had is nill. 
> >  
> > Have any of you had success with a technique to overcome this type of
> > obstacle?   I have no doubt that the policy will be approved and moved
> > forward but I would also like to get this very vocal faculty member’s
> > support if possible.
> >  
> > Thanks,
> >  
> > -Kevin
> >  
> >  
> >  
> > Kevin L. McLaughlin
> > CISM, CISSP, PMP, ITIL Master Certified
> > Director, Information Security
> > University of Cincinnati
> > 513-556-9177 (w)
> > 513-703-3211 (m)
> > 513-558-ISEC (department)
> >  
> >  
> >  UC-Logo-800
> >  
> >
> > *CONFIDENTIALITY NOTICE*: This e-mail message and its content is
> > confidential, intended solely for the addressee, and may be legally
> > privileged. Access to this message and its content by any individual
> > or entity other than those identified in this message is unauthorized.
> > If you are not the intended recipient, any disclosure, copying or
> > distribution of this e-mail may be unlawful. Any action taken or
> > omitted due to the content of this message is prohibited and may be
> > unlawful.
> >  
> >  
> > Content-Type: image/png;
> >          name="image001.png"
> > Content-ID: <image001.png@01C840A9.64A206D0>
> > X-WatchGuard-AntiVirus: scanned 'image001.png'. clean action=allow
> Harold Winshel
> Computing and Instructional Technologies
> Faculty of Arts & Sciences
> Rutgers University, Camden Campus
> 311 N. 5th Street, Room B10 Armitage Hall
> Camden NJ 08102
> (856) 225-6669 (O)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHZ8i53bWuqvNiD7ERAvMCAJ9I0jhjvACtD19JRRyO7PtOLobODwCfYF+Z
ecCwXHpeU+ZsGU5pQuKGyMo=
=2rbT
-----END PGP SIGNATURE-----