Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] Use of Personal Computers for Work
From: "Gregg, Christopher S." <csgregg () STTHOMAS EDU>
Date: Wed, 26 Feb 2020 19:30:03 +0000
We have a similar posture. We don’t have an official BYOD policy. It’s been on my list for a while, but other priorities keep bumping it. We do rely on our data security classification policy, use of DLP, and network segmentation to help keep our sensitive data contained. Like others have mentioned, we also do not provide computers for adjunct instructors so that right there represents a significant number of employees who are expected to use a personal device to complete their work. Of course a lot of that is FERPA protected data and not more sensitive PII or PHI data. I think the future will be less about how we restrict access to the device or location, and more about how we control access and secure the data wherever it goes. Things like identify management, role-based access, DLP, rights management, conditional access, zero trust networks, and mobile device management (for university and personal devices) will be key because our users, devices (ours and theirs), and our data will be so mobile and distributed that some of the traditional models won’t necessarily work. I would recommend determining what problems you’re trying to solve long term by restricting access to university devices, and build towards that so you can pick your battles along the way. This may or may not be the one you want to fight. (I say all this fully acknowledging that we don’t have it all figured out here, but these are the kinds of strategy discussions we’re having right now). Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Innovation & Technology Services (ITS) csgregg () stthomas edu<mailto:csgregg () stthomas edu> p 1 (651) 962-6265 University of St. Thomas | stthomas.edu<https://www.stthomas.edu/> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jerry Tylutki Sent: Wednesday, February 26, 2020 1:06 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [External] Re: [SECURITY] Use of Personal Computers for Work The few times I've tried to broker this conversation it ended up with pushback for faculty members stating the need to perform institutional work (research, grading) off-campus on any computer that is available (if they left their managed laptop at work, or a number of other scenarios). There is merit for proceeding with a policy requiring managed computers, with the caveat that other controls and policies are in place beforehand (e.g. to segment all byod staff/student/faculty devices). In the interim, we work from our Data Class policy that specifies where particular data can be accessed and how it can be accessed, requiring a VPN connection and a minimum number of controls on unmanaged systems if they are allowed to be used. ------- Jerry Tylutki Information Security Officer Hamilton College (315) 859-4289 -- office *****The contents of this email are CONFIDENTIAL. If you have received this email by mistake, please notify the sender and delete the email and its contents.***** On Wed, Feb 26, 2020 at 1:56 PM Menne, Michael S <michael.menne () mnsu edu<mailto:michael.menne () mnsu edu>> wrote: This is a fairly straight forward, yet difficult to implement, policy. Staff are fairly easy. Adjunct instructors are more difficult as the departments don’t want to spend money on laptops for adjunct instructors. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Ronald Loneker Sent: Wednesday, February 26, 2020 12:53 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Use of Personal Computers for Work Hi Everyone - I'm curious as to whether you have policies on your campuses requiring the use of institutional-owned computers for work and how effectively you might manage this faculty as well.. I've been saying to people it's bad security practice to be letting people use their own laptops (especially on the staff side) but it might be time to formalize something before people start thinking too much about going in this direction. Any thoughts you might have on this would be greatly appreciated as well as any policies on this that you might be willing to share. Thank you in advance! Ron Loneker, Jr. Director, IT Special Projects College of Saint Elizabeth Mahoney Library 2 Convent Road Morristown, NJ 07960 Phone: 973-290-4229<tel:973-290-4229> e-mail: rloneker () cse edu<mailto:rloneker () cse edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C83147014ba35491f712108d7baeefed6%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637183407989825467&sdata=8Df5xl2T%2FCksZNnszE2B4WsBGoBe9xZuq8UeOZO1xi8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C83147014ba35491f712108d7baeefed6%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637183407989825467&sdata=8Df5xl2T%2FCksZNnszE2B4WsBGoBe9xZuq8UeOZO1xi8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C83147014ba35491f712108d7baeefed6%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637183407989835455&sdata=OGOXflUcrj1S2FNgdES51%2Bnx1AMlzMq6r1LnWTkwjRk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Use of Personal Computers for Work Ronald Loneker (Feb 26)
- Re: Use of Personal Computers for Work Menne, Michael S (Feb 26)
- Re: Use of Personal Computers for Work Jerry Tylutki (Feb 26)
- Re: [External] Re: [SECURITY] Use of Personal Computers for Work Gregg, Christopher S. (Feb 26)
- Re: Use of Personal Computers for Work Scott Norton (Feb 26)
- Re: Use of Personal Computers for Work Scott Norton (Feb 26)
- Re: Use of Personal Computers for Work Jerry Tylutki (Feb 26)
- Re: Use of Personal Computers for Work Ronald Loneker (Feb 26)
- Re: Use of Personal Computers for Work John Bradley (Feb 26)
- Re: Use of Personal Computers for Work randy (Feb 26)
- Re: Use of Personal Computers for Work Menne, Michael S (Feb 26)