Re: Policy - Employees using personal storage

[Jack Suess <jack () UMBC EDU>]

Ronald,

How many faculty or staff  have you disciplined for using a personal 3rd
party storage service?

I ask because it is 1) easy to state you can't do this, and 2) very
difficult to actually enforce this. I don't disagree with policy that is a
CYA but legally, if you don't enforce your policies you can end up
complicit in a violation of policy.

Our strategy is we have institutional agreements with Box, google, and
microsoft 365. Our position is that central IT is responsible for the
protection of any research data or institutional data using our 3rd party
storage  tools as we have documented (note, we do license Cisco cloudlock
to examine  data flows outside the enterprise for each service) so long as
your use your institutional credentials. If you use your personal account
or institutional email with your own password and have an security issue
arise the liability is yours and the university can take action to
discipline you, such as termination.

The key difference is as long as your use your university account you are
protected - we'll give you options for a variety of 3rd party storage.
Where we separate the products is health care data, in that case we have a
BAA with Microsoft and Box, but not google.

To answer my own question, we have not had to go after any employees
because data from a personal 3rd party storage leaked out and was
inappropriate. We have been google apps since 2010, Box since 2012, an O365
since 2014.  Saying that, I know a number of faculty still use dropbox,
which we don't have an enterprise agreement with.  As we look at this it is
generally their small research group sharing files and we encourage them to
move to one of the big three to get more storage and better protection.


j

Jack Suess             UMBC VP of IT & CIO
jack () umbc edu     1000 Hilltop Circle
410.455.2582          Baltimore Md, 21250




On Fri, Jul 19, 2019 at 2:48 PM King, Ronald A. <raking () nsu edu> wrote:

> Our AUP states the following is prohibited:
> Installing online storage applications, such as OneDrive, Google Drive, or
> storing University data on online storage.
>
> Note: This restriction does not apply to students and faculty using online
> storage for academic purposes only, i.e. teaching the use of online
> storage, or sharing class/educational Page 7 of 9 material not containing
> sensitive/protected information.
>
>
> Ronald King
> Chief Information Security Officer
>
> Office of Information Technology
> (757) 823-3918 (Office)
> raking () nsu edu<mailto:raking () nsu edu>
> www.nsu.edu<http://www.nsu.edu>
> @NSUCISO (Twitter)
>
> [NSU_logo_horiz_tag_4c - Smaller]
>
>
> From: The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Keenan Martinez <
> 0000004218ecec53-dmarc-request () LISTSERV EDUCAUSE EDU>
> Reply-To: The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU>
> Date: Friday, July 19, 2019 at 8:05 AM
> To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: [SECURITY] Policy - Employees using personal storage
>
> Good day,
>
> Can members advise how they treat with employees who use their personal
> online storage (Gmail, Hotmail, Dropbox, etc) to store company files
> instead of company assigned storage? Is there a policy there would guide
> the restricted use?
>
> Thanks in advance.
>
> Regards,
>
>
>
> Keenan Martinez
> Manager -  Information Technology & METS
> The Arthur Lok Jack Global School of Business
> 1, Max Richards Drive, Uriah Butler Highway North West, Mt. Hope. Trinidad
> & Tobago (UTC -4 hours)
> Mt. Hope, Trinidad, W.I.
> Tel : (868) 645-6700 ext: 333| (868) 498-0764 | Email :
> k.martinez () lokjackgsb edu tt|<mailto:k.martinez () lokjackgsb edu tt|>
> www.lokjackgsb.edu.tt<http://www.lokjackgsb.edu.tt/>
>
> [signature_1247171682]
>
>
> Empowering UWI-ALJGSB to thrive in a digital world
>
> _____________________________________________________________________
> Please note that this message and any attachments may contain confidential
> and proprietary material and information and are intended only for the use
> of the intended recipient(s). If you are not the intended recipient, you
> are hereby notified that any review, use, disclosure, dissemination,
> distribution or copying of this message and any attachments is strictly
> prohibited. If you have received this email in error, please immediately
> notify the sender and destroy this e-mail and any attachments and all
> copies, whether electronic or printed. Thank you.