Re:

["Hatala, Jeffrey" <hatala_j () SUNYBROOME EDU>]

To add to this thread, we too look at protecting all our servers,
computers, laptops, stick media and tapes that have sensitive and
mission critical data. We try to find the time to plan and perform tasks
from risk assessment to disaster recovery and everything in between.  It
is easy to identify our sensitive data from IT's point of view, but what
is REALLY out there and available.  This may have already been mentioned
in previous emails, it's a tool we use from Cornell University called
"Spider" .   We were amazed at what we found and where.  Check it out.
Merry Christmas to all.

http://www.cit.cornell.edu/security/tools/

 

Jeff Hatala - Broome Community College 

 

________________________________

From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] 
Sent: Monday, December 17, 2007 7:53 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY]

 

Our experience is that faculty and staff almost universally don't think
they have sensitive data but usually do.

The way we look at full disk encryption is that, in the event that a
notebook is stolen or misplaced, we don't need to worry about whether
there was or wasn't sensitive data on it. Our understanding is that full
disk encryption would negate that as an issue and it would not need to
be a reportable event.


At 12:36 PM 12/17/2007, Gary Dobbins wrote:



Maybe this is too flippant, maybe not, depending on your environment,
but isn't it all about the data?  If the person doesn't handle any
protected or sensitive data then they may not need encryption.
 
So, if he doesn't want to encrypt, no problem, he just can't have any of
the above data on his system.
Maybe that's a practical option for him; to just use a kiosk or a
co-worker for submitting student grades.
 
After all, encryption is to cover the case where University or protected
data fall out of his control along with the machine.  If they're not in
his possession, the machine is just a toaster - buy a new one if lost.
 
See, I knew it would sound flip...
 
 
 
From: Mclaughlin, Kevin (mclaugkl) [ mailto:mclaugkl () UCMAIL UC EDU
<mailto:mclaugkl () UCMAIL UC EDU> ] 
Sent: Monday, December 17, 2007 12:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY]
 
Hi All:
 
I am having a bit of a tussle with a faculty member who is on one of the
committees that already approved UC having a Full Disk Encryption
Policy.  I won't overload you with the verbose emails that have gone
back and forth but it seems that his concern is summed up in that he
doesn't want a policy for this as that makes it mandatory and he is
making some grandiose blanket statements about the impact to faculty if
we have a Full Disk Encryption policy in place. (see below)   The policy
basically says:  all PCs that store restricted data (FERPA, HIPAA, GLB,
PCI) will be encrypted with PGP's full disk encryption software at no
cost to the individual or department. This software will be supported,
as needed, by Central IT.   
 
 
Hi Kevin

Encouraging FDE (full disk encryption) is fine.  Mandating it - is not.


Regarding your comment that "My profession is all about Risk mgt and
mitigation".
That is the trouble with the policy.  Faculty teach, do research, etc.
The policy needs to strike a balance. In years past, we had similar
discussions about libraries.  To protect the books, libraries should
simply close their doors. A balance needs to found.

The goal of the policy should be to assist professors to follow the law
while they do their job. 
 
 
Here's my question:  I have talked about how transparent the tool is, my
team and I have used it for about 6 months now;  I have talked about how
as an adjunct I found it easy to use, and I have talked about how this
IS a tool that allows faculty to do their job and to safeguard
information at the same time.   I have also offered to let him try the
tool and he has not taken me up on that.  The net result I have had is
nill.  
 
Have any of you had success with a technique to overcome this type of
obstacle?   I have no doubt that the policy will be approved and moved
forward but I would also like to get this very vocal faculty member's
support if possible.
 
Thanks,
 
-Kevin
 
 
 
Kevin L. McLaughlin
CISM, CISSP, PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
513-558-ISEC (department)
 
 
   
 

CONFIDENTIALITY NOTICE: This e-mail message and its content is
confidential, intended solely for the addressee, and may be legally
privileged. Access to this message and its content by any individual or
entity other than those identified in this message is unauthorized. If
you are not the intended recipient, any disclosure, copying or
distribution of this e-mail may be unlawful. Any action taken or omitted
due to the content of this message is prohibited and may be unlawful.
 
 
Content-Type: image/png;
         name="image001.png"
Content-ID: <image001.png@01C840A9.64A206D0>
X-WatchGuard-AntiVirus: scanned 'image001.png'. clean action=allow

Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B10 Armitage Hall
Camden NJ 08102
(856) 225-6669 (O)