Educause Security Discussion mailing list archives
Re: Mitigating the Risk of Privacy Breaches in the Home Office
From: Blake Brown <Blake.Brown () MHCC EDU>
Date: Mon, 16 Mar 2020 18:04:47 +0000
NIST has provided a good fact sheet for end users on this topic.
~Blake
On 3/16/20, 10:54 AM, "The EDUCAUSE Security Community Group Listserv on behalf of Laura Raderman" <SECURITY ()
LISTSERV EDUCAUSE EDU on behalf of lraderman () CMU EDU> wrote:
External Email
Making sure that the employee has either their own computer (ie, no one else has access to it), or if on a shared
computer, that each person has their own username/password that meet whatever guidance you have on password composition.
Laura Raderman
ISO Policy & Compliance Coordinator
Carnegie Mellon University
lraderman () cmu edu
> On Mar 16, 2020, at 1:50 PM, Bryce Cunningham <bcunningham () COLLEGES-FENWAY ORG> wrote:
>
> For obvious reasons, cybersecurity safeguards in the home office are increasing in importance as our schools
rapidly adjust to a new business environment where working at home is no longer the exception. This is an additional
concern for institutions that may not be able to provision endpoints for all staff. The more apparent mitigation is
schools developing and publishing security baselines for employees who work on personally-owned computers
(anti-malware, VPN, encryption, minimum O/S type and version, software updates, et al.). That’s sensible and necessary,
but we must also consider the less obvious data loss vector of family, friends, contractors, etc., viewing PII on an
employee’s computer in the home office. Regardless of how unlikely we think this would occur – or how likely an
employee would report to us such an incident – it could still be a privacy breach depending on the jurisdiction of the
institution and the residency and/or nationality of the person’s whose privacy was breached. I see three controls to
mitigate this: Privacy screens, password-enabled screen saver with idle activation, and a policy for accessing digital
PII off campus. Please comment if you can think of other controls to mitigate this specific risk… or have an opinion on
the necessity of such controls.
>
> Bryce Cunningham, MS, CISM, CISSP
> Information Security Officer
> Colleges of the Fenway
> (ISO for Wentworth Institute of Technology and Mass College of Art and Design)
> Email: bcunningham () colleges-fenway org
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to
the person who sent the message, copy and paste their email address and forward the email reply. Additional
participation and subscription information can be found at https://www.educause.edu/community
>
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the
person who sent the message, copy and paste their email address and forward the email reply. Additional participation
and subscription information can be found at https://www.educause.edu/community
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the
person who sent the message, copy and paste their email address and forward the email reply. Additional participation
and subscription information can be found at https://www.educause.edu/community
Attachment:
03-SSA-WorkingFromHome-FactSheet.pdf
Description: 03-SSA-WorkingFromHome-FactSheet.pdf
Current thread:
- Mitigating the Risk of Privacy Breaches in the Home Office Bryce Cunningham (Mar 16)
- Re: Mitigating the Risk of Privacy Breaches in the Home Office Laura Raderman (Mar 16)
- Re: Mitigating the Risk of Privacy Breaches in the Home Office Blake Brown (Mar 16)
- <Possible follow-ups>
- Re: Mitigating the Risk of Privacy Breaches in the Home Office Bryce Cunningham (Mar 17)
- Re: Mitigating the Risk of Privacy Breaches in the Home Office Laura Raderman (Mar 16)