Educause Security Discussion mailing list archives
Re: Personal Email and other Services
From: Jeff Choo <jeff_choo () WILLIAMJAMES EDU>
Date: Thu, 2 May 2019 18:04:01 +0000
Hi Petrus, Generally, we don't allow it. All institution businesses have to be on a college sanctioned/supported platform. Full-disclosure, we are an office 365 shop. We do make exceptions case by case when requested to allow the use of services like Dropbox or google if: 1. Clear ownership is established (who will be in charge of managing this service) 2. After evaluating the purpose, the type of contents, and the reason for using such service, that we deem it has a low security and compliance risk. 3. An admin account is created to allow the IT office to manage the service if needed (and for assessment/monitoring) 4. An "understanding" document is signed that the owners who are responsible for the service understand the restrictions and potential risks. 5. IT Office reserves the right to terminate the use of such service at any given time if any violation of the "understanding" and/or any other security compliance is detected on such service/platform. 6. Annual review on whether to renew the service contract and re-evaluate if the original reasons for using such service are still valid. If the reasons are no longer valid (i.e. we now have the technology/infrastructure to do what wasn't available in the past) - we will give the owners a time to migrate to a recommended/supported system and then terminate the service. After I explained this policy to people - most have opted to use a supported system. Hope this helps! Regards Jeff "A problem well put is half solved." - John Dewey Jeff Choo - Director, Information Technology | Information Security Officer William James College One Wells Avenue, Newton, MA 02459 Helpdesk: 617-327-6777 x1600 Direct: 617-564-9344 Email: jeff_choo () williamjames edu From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Petrus Williams Sent: Thursday, May 2, 2019 1:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Personal Email and other Services Due to the influx of new software developers ( many from Higher Education Institutions) we are being asked to relax our policy about not using personal services ( email, dropbox, google, git etc.) for storing or conducting institution business. The main reason for our current policy is that those work products are considered belonging to the institution and as such when you leave the institution we want to make sure that the work product stays with us ( of course there is no guarantee that a copy won't make it out in some form or fashion but that's another topic). There are also security concerns ( personal email services maybe hosted under someone's desk at home!). There are some rumblings that these restrictions are too limiting for this new crop of developers. So I ask. At your institutions what is the general policy on conducting Institution business using personal services ( email, dropbox, git etc.). Thanks for your feedback Thanks, Petrus Williams J. Paul Getty Trust Assistant Director GDI Infrastructure & Operations Phone 310-440-6397 This message may contain confidential information intended only for the individual named. If you received this message by mistake, please let the sender know by e-mail reply and delete it from your system. If you are not the intended recipient you are hereby notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Current thread:
- Personal Email and other Services Petrus Williams (May 02)
- Re: Personal Email and other Services Jeff Choo (May 02)
- Re: Personal Email and other Services King, Ronald A. (May 06)
- Re: Personal Email and other Services Valdis Klētnieks (May 06)
- Re: Personal Email and other Services King, Ronald A. (May 07)
- Re: Personal Email and other Services Valdis Klētnieks (May 06)