Educause Security Discussion mailing list archives
Re: Do students hold universities accountable for protecting their information?
From: John Ramsey <jramsey () STUDENTCLEARINGHOUSE ORG>
Date: Tue, 12 Jun 2018 11:41:14 +0000
National Student Clearinghouse provides third party services to many of the universities and colleges. Many (if not most) of your schools are exceptionally diligent in ensuring that we’re protecting your students’ data. I can say from direct interaction with the schools, you do hold us to a high standard for protecting “your” students’ data. I’d think the accountability of third party services might range anywhere from a company that performs transcript services to a company that provides cloud services (such as Office 365) or even something where student data is accessible via cloud services or mobile devices. Where I’m going with this is that as a third party, it seems as a results of student’s holding universities accountable to protect their data, you’re holding third party services to a high standard to ensure you’re accountable to not only the schools but the students and their parents. John John Ramsey, Chief Information Security Officer, National Student Clearinghouse Certified: CISSP, CISM, PMP, CSSLP, CRISC, CGEIT 2300 Dulles Station Blvd., Suite 220, Herndon, VA 20171 P: 703.742.4428 | http://www.studentclearinghouse.org<http://www.studentclearinghouse.org/> Read the Clearinghouse Today Blog<https://nscblog.org/> Winner “2016 When Work Works” & “Excellence in Work-Life Balance” From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Brad Judy Sent: Monday, June 11, 2018 4:40 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Do students hold universities accountable for protecting their information? To summarize some of the points made here (as well as my own thoughts), I think you can pull this together as a can/should/do form: * Can (rights) individuals hold institutions accountable (are there supporting laws/policies/etc that set that right or expectation?) – Yes, we have some laws in that space (FERPA, HIPAA) and many schools have related policies. What individuals “can” do is also evolving with privacy law changes. * Can (capability) individuals hold institutions accountable? – This is much harder to answer and the honest response is probably “the vast majority of individuals do not have the capability themselves.” They need assistance to understand the laws, gather information, interface with organizations, etc. * Should individuals hold institutions accountable for data security/privacy – Yes, I think it’s good for anyone to hold any organization accountable for meeting privacy/security requirements/expectations. * Should all of the responsibility of accountability oversight be on the individual? No, I don’t think so. One of the reasons we have accountability offices and watchdog groups is the challenge of the capability issue. Even if we lower the bar on those challenges, it will likely still remain out of reach for many individuals. * Do individuals hold institutions accountable? - Sometimes, but it seems pretty infrequent. I would guess this is due to a mix of lack of personal priority/interest and the capability challenge. At the moment, pushing accountability on privacy often requires assistance from third-parties (non-profits, governments, etc.). Some of the movement we see in data privacy and security is putting options/tools into the hands of individuals to ask questions not just about “What data do you have about me?” but also “How do you use that data?” and “Who have you given that data to?” Perhaps someday it will be easier for an individual to understand how organizations handle your personal data, but for now, this issue is still in a very messy adolescent phase. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [cu-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Paige Francis <paige () UARK EDU<mailto:paige () UARK EDU>> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Monday, June 11, 2018 at 2:10 PM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Do students hold universities accountable for protecting their information? I’m not sure if they hold us accountable but I do believe they absolutely have that expectation. In addition, with FERPA and HIPAA we’re bound to safeguard protected data. -- Paige Francis Associate CIO, University of Arkansas Fayetteville, AR #UARK #GoHogs Need IT Help?<https://its.uark.edu/> | Twitter<https://twitter.com/CIOPaige> | LinkedIn<https://www.linkedin.com/in/paigefrancis/> | Blog<https://www.linkedin.com/in/paigefrancis/> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of "McIntosh, Keith" <kmcintosh () RICHMOND EDU<mailto:kmcintosh () RICHMOND EDU>> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Monday, June 11, 2018 at 9:07 AM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] Do students hold universities accountable for protecting their information? Colleagues, Someone recently asked me the following question and I wondered what you would say. I believe students and parents have reasonable expectations that we are both protecting their information and ensuring privacy. Do students hold universities accountable for protecting their information? Keith W. "Mac" McIntosh he/his/him<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mypronouns.org_&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=9ZKxtGifiJT_omfG3l59i0uii-6HEcp-4bOI_XeNt58&e=> Vice President and Chief Information Officer Information Services Jepson Hall G-12 28 Westhampton Way University of Richmond, VA 23173 Office: 804.289.8771 Fax: 804.289.8988 http://is.richmond.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__is.richmond.edu_&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=90YlN-N0Ju2PBK4xgYEsTM3k3lRUUnkwKAc-OBTeK-I&e=> Email: kmcintosh () richmond edu Twitter: @<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_Keith-5FMcIntosh&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=i_IyoJXiAP-3SUHk3zFgcVFLCwKMzDYy-9FVM8y16mQ&e=>Keith_McIntosh<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_Keith-5FMcIntosh&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=i_IyoJXiAP-3SUHk3zFgcVFLCwKMzDYy-9FVM8y16mQ&e=> ======================================================= This message has been analyzed by Deep Discovery Email Inspector.
Current thread:
- Do students hold universities accountable for protecting their information? McIntosh, Keith (Jun 11)
- Re: Do students hold universities accountable for protecting their information? SPolsky@PACC (Jun 11)
- Re: Do students hold universities accountable for protecting their information? Josh Callahan (Jun 11)
- Re: Do students hold universities accountable for protecting their information? Hudson, Edward (Jun 11)
- Re: Do students hold universities accountable for protecting their information? Paige Francis (Jun 11)
- Re: Do students hold universities accountable for protecting their information? Barton, Robert W. (Jun 11)
- Re: Do students hold universities accountable for protecting their information? Linc Nesheim (Jun 11)
- Re: Do students hold universities accountable for protecting their information? Brad Judy (Jun 11)
- Re: Do students hold universities accountable for protecting their information? John Ramsey (Jun 12)
- Re: Do students hold universities accountable for protecting their information? Frank Barton (Jun 12)
- Re: Do students hold universities accountable for protecting their information? Ruth Ginzberg (Jun 12)
- Re: Do students hold universities accountable for protecting their information? Valerie Vogel (Jun 12)
- Re: Do students hold universities accountable for protecting their information? Pitt, Sharon (Jun 12)
- Re: Do students hold universities accountable for protecting their information? Semmens, Theresa (Jun 12)
- Re: Do students hold universities accountable for protecting their information? McIntosh, Keith (Jun 12)
- Re: Do students hold universities accountable for protecting their information? Barton, Robert W. (Jun 11)
- Re: Do students hold universities accountable for protecting their information? Josh Callahan (Jun 12)