Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Do students hold universities accountable for protecting their information?

From: John Ramsey <jramsey () STUDENTCLEARINGHOUSE ORG>
Date: Tue, 12 Jun 2018 11:41:14 +0000
National Student Clearinghouse provides third party services to many of the universities and colleges.  Many (if not 
most) of your schools are exceptionally diligent in ensuring that we’re protecting your students’ data.  I can say from 
direct interaction with the schools, you do hold us to a high standard for protecting “your” students’ data.  I’d think 
the accountability of third party services might range anywhere from a company that performs transcript services to a 
company that provides cloud services (such as Office 365) or even something where student data is accessible via cloud 
services or mobile devices.  Where I’m going with this is that as a third party, it seems as a results of student’s 
holding universities accountable to protect their data, you’re holding third party services to a high standard to 
ensure you’re accountable to not only the schools but the students and their parents.

John

John Ramsey, Chief Information Security Officer, National Student Clearinghouse
Certified:  CISSP, CISM, PMP, CSSLP, CRISC, CGEIT
2300 Dulles Station Blvd., Suite 220, Herndon, VA 20171
P: 703.742.4428  |   http://www.studentclearinghouse.org<http://www.studentclearinghouse.org/>
Read the Clearinghouse Today Blog<https://nscblog.org/>

Winner “2016 When Work Works” & “Excellence in Work-Life Balance”

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Brad Judy
Sent: Monday, June 11, 2018 4:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Do students hold universities accountable for protecting their information?

To summarize some of the points made here (as well as my own thoughts), I think you can pull this together as a 
can/should/do form:


  *   Can (rights) individuals hold institutions accountable (are there supporting laws/policies/etc that set that 
right or expectation?) – Yes, we have some laws in that space (FERPA, HIPAA) and many schools have related policies. 
What individuals “can” do is also evolving with privacy law changes.
  *   Can (capability) individuals hold institutions accountable? – This is much harder to answer and the honest 
response is probably “the vast majority of individuals do not have the capability themselves.” They need assistance to 
understand the laws, gather information, interface with organizations, etc.
  *   Should individuals hold institutions accountable for data security/privacy – Yes, I think it’s good for anyone to 
hold any organization accountable for meeting privacy/security requirements/expectations.
     *   Should all of the responsibility of accountability oversight be on the individual? No, I don’t think so.  One 
of the reasons we have accountability offices and watchdog groups is the challenge of the capability issue.  Even if we 
lower the bar on those challenges, it will likely still remain out of reach for many individuals.
  *   Do individuals hold institutions accountable?  - Sometimes, but it seems pretty infrequent.  I would guess this 
is due to a mix of lack of personal priority/interest and the capability challenge.

At the moment, pushing accountability on privacy often requires assistance from third-parties (non-profits, 
governments, etc.). Some of the movement we see in data privacy and security is putting options/tools into the hands of 
individuals to ask questions not just about “What data do you have about me?” but also “How do you use that data?” and 
“Who have you given that data to?”  Perhaps someday it will be easier for an individual to understand how organizations 
handle your personal data, but for now, this issue is still in a very messy adolescent phase.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[cu-logo_fl]



From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of 
Paige Francis <paige () UARK EDU<mailto:paige () UARK EDU>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Monday, June 11, 2018 at 2:10 PM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Do students hold universities accountable for protecting their information?

I’m not sure if they hold us accountable but I do believe they absolutely have that expectation. In addition, with 
FERPA and HIPAA we’re bound to safeguard protected data.

--
Paige Francis
Associate CIO, University of Arkansas
Fayetteville, AR #UARK #GoHogs

Need IT Help?<https://its.uark.edu/> | Twitter<https://twitter.com/CIOPaige> | 
LinkedIn<https://www.linkedin.com/in/paigefrancis/> | Blog<https://www.linkedin.com/in/paigefrancis/>

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of "McIntosh, Keith" <kmcintosh () RICHMOND EDU<mailto:kmcintosh () RICHMOND EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Monday, June 11, 2018 at 9:07 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Do students hold universities accountable for protecting their information?

Colleagues,

Someone recently asked me the following question and I wondered what you would say.   I believe students and parents 
have reasonable expectations that we are both protecting their information and ensuring privacy.

  Do students hold universities accountable for protecting their information?


Keith W. "Mac" McIntosh
he/his/him<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mypronouns.org_&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=9ZKxtGifiJT_omfG3l59i0uii-6HEcp-4bOI_XeNt58&e=>
Vice President and Chief Information Officer
Information Services

Jepson Hall G-12
28 Westhampton Way
University of Richmond, VA 23173
Office: 804.289.8771
Fax: 804.289.8988
http://is.richmond.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__is.richmond.edu_&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=90YlN-N0Ju2PBK4xgYEsTM3k3lRUUnkwKAc-OBTeK-I&e=>

Email: kmcintosh () richmond edu
Twitter: 
@<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_Keith-5FMcIntosh&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=i_IyoJXiAP-3SUHk3zFgcVFLCwKMzDYy-9FVM8y16mQ&e=>Keith_McIntosh<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_Keith-5FMcIntosh&d=DwMFAg&c=7ypwAowFJ8v-mw8AB-SdSueVQgSDL4HiiSaLK01W8HA&r=MiccpEVSKT3DA5jws6edeA&m=xE9EjWmvszeA_LQHaZyOAO9TheSRXZP5Z1nRtLKN22E&s=i_IyoJXiAP-3SUHk3zFgcVFLCwKMzDYy-9FVM8y16mQ&e=>


=======================================================

This message has been analyzed by Deep Discovery Email Inspector.

Previous By Date Next
Previous By Thread Next

Current thread: