Re: [External] Re: [SECURITY] Use of Personal Computers for Work

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

We have a similar posture.  We don’t have an official BYOD policy.  It’s been on my list for a while, but other 
priorities keep bumping it.

We do rely on our data security classification policy, use of DLP, and network segmentation to help keep our sensitive 
data contained.

Like others have mentioned, we also do not provide computers for adjunct instructors so that right there represents a 
significant number of employees who are expected to use a personal device to complete their work.  Of course a lot of 
that is FERPA protected data and not more sensitive PII or PHI data.

I think the future will be less about how we restrict access to the device or location, and more about how we control 
access and secure the data wherever it goes.  Things like identify management, role-based access, DLP, rights 
management, conditional access, zero trust networks, and mobile device management (for university and personal devices) 
will be key because our users, devices (ours and theirs), and our data will be so mobile and distributed that some of 
the traditional models won’t necessarily work.

I would recommend determining what problems you’re trying to solve long term by restricting access to university 
devices, and build towards that so you can pick your battles along the way.  This may or may not be the one you want to 
fight.

(I say all this fully acknowledging that we don’t have it all figured out here, but these are the kinds of strategy 
discussions we’re having right now).

Chris



Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Innovation & Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu/>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jerry Tylutki
Sent: Wednesday, February 26, 2020 1:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] Re: [SECURITY] Use of Personal Computers for Work

The few times I've tried to broker this conversation it ended up with pushback for faculty members stating the need to 
perform institutional work (research, grading) off-campus on any computer that is available (if they left their managed 
laptop at work, or a number of other scenarios). There is merit for proceeding with a policy requiring managed 
computers, with the caveat that other controls and policies are in place beforehand (e.g. to segment all byod 
staff/student/faculty devices). In the interim, we work from our Data Class policy that specifies where particular data 
can be accessed and how it can be accessed, requiring a VPN connection and a minimum number of controls on unmanaged 
systems if they are allowed to be used.

-------
Jerry Tylutki
Information Security Officer
Hamilton College
(315) 859-4289 -- office

*****The contents of this email are CONFIDENTIAL. If you have received this email by mistake, please notify the sender 
and delete the email and its contents.*****


On Wed, Feb 26, 2020 at 1:56 PM Menne, Michael S <michael.menne () mnsu edu<mailto:michael.menne () mnsu edu>> wrote:
This is a fairly straight forward, yet difficult to implement, policy.  Staff are fairly easy. Adjunct instructors are 
more difficult as the departments don’t want to spend money on laptops for adjunct instructors.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Ronald Loneker
Sent: Wednesday, February 26, 2020 12:53 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Use of Personal Computers for Work

Hi Everyone -

I'm curious as to whether you have policies on your campuses requiring the use of institutional-owned computers for 
work and how effectively you might manage this faculty as well..

I've been saying to people it's bad security practice to be letting people use their own laptops (especially on the 
staff side) but it might be time to formalize something before people start thinking too much about going in this 
direction.

Any thoughts you might have on this would be greatly appreciated as well as any policies on this that you might be 
willing to share.

Thank you in advance!

Ron Loneker, Jr.
Director, IT Special Projects
College of Saint Elizabeth
Mahoney Library
2 Convent Road
Morristown, NJ  07960

Phone:  973-290-4229<tel:973-290-4229>

e-mail:  rloneker () cse edu<mailto:rloneker () cse edu>






**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C83147014ba35491f712108d7baeefed6%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637183407989825467&sdata=8Df5xl2T%2FCksZNnszE2B4WsBGoBe9xZuq8UeOZO1xi8%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C83147014ba35491f712108d7baeefed6%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637183407989825467&sdata=8Df5xl2T%2FCksZNnszE2B4WsBGoBe9xZuq8UeOZO1xi8%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C83147014ba35491f712108d7baeefed6%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637183407989835455&sdata=OGOXflUcrj1S2FNgdES51%2Bnx1AMlzMq6r1LnWTkwjRk%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community