There will be controls around the main PCI\FERPA\CUI repositories but after the data is pulled out from there they don't care. Had a meeting earlier today with a University that has a site where anyone who ever went there or worked there ever could save\copy\delete information that anyone else put there. This location was also tightly integrated with a certain office productivity software making it incredibly easy to find and accidentally use. For weeks I've been telling them to lock it down and how to do it - but it keeps getting passed from dept to dept.
"Its not our job". Yeah ok but this will take 5 min - I just need someone with access to do it.
"Is there really important data there?" Almost certainly given the tons recent docs and the titles of at least a few of them
The new group I talked to today said "Maybe its just fine the way it is." Really? So we know its being misused but its ok that anyone can just save anything they want to that area with no controls to prevent accidental or malicious intent? "Yes. We do it with this other major productivity software."
Wait...what? Well do you at least proactively tell them what option is appropriate for what type of data so they are aware of the restrictions?
"No. We have this one web page buried somewhere that they have to seek out on their own that says what product is appropriate for what data storage. And if a professor or staff member posts FERPA or privileged information on it anyway thats on them."
Are there any disclaimers on the products themselves?"
"No."
You don't monitor or restrict data or access?
"Not our job."
So what is to stop someone from accidentally putting privileged information on there?
"Our data guide"
The one they may or may not know exists?
"Yes."
In the last couple of months I've seen some pretty bad things. SSNs, TINs, Medicare #s, bank account #s etc where they shouldn't be and with entirely inappropriate security measures. No one really seems to care though. The attitude is more along the lines of "Oh those rascally professors - always putting SSNs where they shouldn't." or "Our workflows kept erroring so we opened anonymous access." WHAT??!! They are entrusting security to the same people that think backing up their tax returns to a research storage share open to their students is fine (Not that many staff are much better about it)
"Its not our job". Yeah ok but this will take 5 min - I just need someone with access to do it.
"Is there really important data there?" Almost certainly given the tons recent docs and the titles of at least a few of them
The new group I talked to today said "Maybe its just fine the way it is." Really? So we know its being misused but its ok that anyone can just save anything they want to that area with no controls to prevent accidental or malicious intent? "Yes. We do it with this other major productivity software."
Wait...what? Well do you at least proactively tell them what option is appropriate for what type of data so they are aware of the restrictions?
"No. We have this one web page buried somewhere that they have to seek out on their own that says what product is appropriate for what data storage. And if a professor or staff member posts FERPA or privileged information on it anyway thats on them."
Are there any disclaimers on the products themselves?"
"No."
You don't monitor or restrict data or access?
"Not our job."
So what is to stop someone from accidentally putting privileged information on there?
"Our data guide"
The one they may or may not know exists?
"Yes."
In the last couple of months I've seen some pretty bad things. SSNs, TINs, Medicare #s, bank account #s etc where they shouldn't be and with entirely inappropriate security measures. No one really seems to care though. The attitude is more along the lines of "Oh those rascally professors - always putting SSNs where they shouldn't." or "Our workflows kept erroring so we opened anonymous access." WHAT??!! They are entrusting security to the same people that think backing up their tax returns to a research storage share open to their students is fine (Not that many staff are much better about it)