Re: Confidentiality agreements and IT staff

[Brian Helman <bhelman () SALEMSTATE EDU>]

Agreed.  I think their best purpose is to make the employee aware that the data they have at their disposal should be 
treated carefully.  I haven't seen it in a couple years, but in the past we've had employees that didn't realize 
writing a credit card number on a piece of scrap paper (or having someone email it to you) was a bad idea.  Signing an 
agreement should soften some liability, but regular reminders of the policy as well as technological protections are 
"must haves" as well.

My point was, that we get so focused on 1st degree handlers of the data, that we forget that there is information that 
all employees work with that needs to be controlled.  It's very possible a loading dock person may never realize that 
giving a student's dorm address out is not permissible.

-Brian

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dennis 
Tracz
Sent: Thursday, March 29, 2012 1:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Confidentiality agreements and IT staff

I hope I have not given the wrong impression. I am a proponent of Confidentiality Agreements, they are useful tools and 
have a purpose.  
However, on their own they are not effective.  They need to be supplement by additional preventative and detective 
controls. 


Dennis

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian 
Helman
Sent: Thursday, March 29, 2012 10:02 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Confidentiality agreements and IT staff

I'm not sure I see why all employees wouldn't sign such an agreement (not accounting for any bargaining positions).  
Granted our friends to the North don't have FERPA, but even mailroom people could potentially disclose 
private/confidential information.  In fact, I'd go a step further and say that a clause should be added to any contract 
position.

-Brian

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dennis 
Tracz
Sent: Thursday, March 29, 2012 11:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Confidentiality agreements and IT staff

All of our IT, University Development Office & Research Accounting staff are required to sign a Confidentiality 
Agreement prior to being granted system access.  The rationale here is that by virtue of their position they may be 
exposed to Confidential Information.  This is still a paper based agreement.  However, we are looking at combining this 
with an annual ethics & conflict of interests declaration (hopefully electronic).

Personally I think that this on its own does very little to prevent or even deter unauthorized disclosure. It's more of 
an after the fact C.Y.A for audit/regulatory compliance & or grounds for dismissal.   



Dennis N. Tracz, CISSP-ISSMP, CISM, CGEIT Director, Information Security & Compliance University of Calgary
Office: (403) 220-4010
Cell: (403) 305-4010

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of David Seidl 
[dseidl () ND EDU]
Sent: Thursday, March 29, 2012 7:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Confidentiality agreements and IT staff

Folks,

I'm curious if you currently require all or most of your IT staff to sign a confidentiality agreement at hire on a 
recurring basis, and if so, what your reasons for doing so are.

We've had one in place for new hires for years, and our business staff has asked if we can dispense with it as a 
general requirement for all IT staff. I've done a bit of review, and can't find a direct requirement to point to for 
people who don't have direct compliance related assignments.

Thanks in advance for your feedback and comments!

David

David Seidl, CISSP, GCIH, GPEN
Director of Information Security
Office of Information Technologies
University of Notre Dame
Notre Dame, IN 46556
(574) 631-7305
dseidl () nd edu