Where would UVM be without student employees? University departments hire students and other temporary employees for a wide variety of important jobs, and some of those jobs involve working with sensitive or confidential information. As is true for regular faculty and staff, any work with Protected University Information (definitions of which are in the Information Security Policy and the Privacy Policy) should be done on UVM-owned equipment. Laptops should have their hard drives encrypted.
What Can Go Wrong
There is a cost that comes with providing desktop computers or encrypted laptops for use by students and other temporary employees, but use of personally owned computers to access or work with Protected University Information presents an unacceptable risk, both to the University and to individuals whose personal information could be exposed, through theft of other mishaps. A theft is a personal tragedy for the owner, but it is potentially catastrophic for individuals whose personal information, present on the stolen device, is exposed and misused. Students are victims of laptop theft much more often than University departments, and their laptops are unlikely to be encrypted.
The UVM Information Security Policy requires personally owned devices to be encrypted if they’ll be used for any Protected University Information, but that still leaves several possibilities of inappropriate data exposure, including the owner making unencrypted backups, backing up to a cloud service such as Dropbox, and the likelihood the owner will decrypt the device, without securely erasing the files, when UVM employment ends or when selling it off.
Avoiding Catastrophe
For those reasons, the Information Security Operations Team asks departments to:
- insist that employees, especially temporary employees, do UVM work only on UVM equipment;
- insist that only UVM email be used for messages containing Protected University Information (including not forwarding UVM email to a service like Gmail, in the absence of a suitable agreement with UVM);
- require that files and email related to UVM work be stored only on University approved services like UVM SharePoint sites, network folders, or UVM-provided, encrypted external drives, rather than being stored in non-UVM services (e.g., DropBox, Carbonite).
Temporary employees could be required to sign off that they’ll comply.
Should anyone use a personally owned computer, tablet, phone, external drive, or other device for any Protected University Information, it must comply with UVM requirements for encryption, access, secure erasure, and so on, as described in the Information Security Policy and its Procedures.
Let’s Talk
Do you have a way of addressing temporary employees’ secure computing needs? Please share it via the IT-Discuss or Security listservs, or by emailing the ISO Team at iso@uvm.edu. Please contact the ISO Team if you have suggestions or concerns, or if you need help setting up temporary employees to work securely.