What Can Go Wrong
There is a cost that comes with providing desktop computers or encrypted laptops for use by students and other temporary employees, but use of personally owned computers to access or work with Protected University Information presents an unacceptable risk, both to the University and to individuals whose personal information could be exposed, through theft of other mishaps. A theft is a personal tragedy for the owner, but it is potentially catastrophic for individuals whose personal information, present on the stolen device, is exposed and misused. Students are victims of laptop theft much more often than University departments, and their laptops are unlikely to be encrypted.
The UVM Information Security Policy requires personally owned devices to be encrypted if they’ll be used for any Protected University Information, but that still leaves several possibilities of inappropriate data exposure, including the owner making unencrypted backups, backing up to a cloud service such as Dropbox, and the likelihood the owner will decrypt the device, without securely erasing the files, when UVM employment ends or when selling it off.
For those reasons, the Information Security Operations Team asks departments to:
- insist that employees, especially temporary employees, do UVM work only on UVM equipment;
- insist that only UVM email be used for messages containing Protected University Information (including not forwarding UVM email to a service like Gmail, in the absence of a suitable agreement with UVM);
- require that files and email related to UVM work be stored only on University approved services like UVM SharePoint sites, network folders, or UVM-provided, encrypted external drives, rather than being stored in non-UVM services (e.g., DropBox, Carbonite).
Temporary employees could be required to sign off that they’ll comply.
Should anyone use a personally owned computer, tablet, phone, external drive, or other device for any Protected University Information, it must comply with UVM requirements for encryption, access, secure erasure, and so on, as described in the Information Security Policy and its Procedures.
Do you have a way of addressing temporary employees’ secure computing needs? Please share it via the IT-Discuss or Security listservs, or by emailing the ISO Team at email@example.com. Please contact the ISO Team if you have suggestions or concerns, or if you need help setting up temporary employees to work securely.