I worked in academia for 13 years. We were already doing most of this in 2010. We were one of the universities that proactively removed SSNs from general use and every administrative system except where necessary. Please note that the following provisions apply in the new policy:
1. requirement applies to university employees 2. equipment is university-owned 3. OR personal equipment touching PII/PHI I applaud Standford's efforts toward protecting students' private data: their customers. This is probably a reaction to the reported breach this past summer: http://www.stanforddaily.com/2013/09/23/online-security-breach-prompts-further-security-measures-amidst-uncertain-details/ They're actually being pretty fair, by allowing BYOD at all for employees and a guest network for personal devices. Many non-profits don't. There's also no requirement to meet these mandates if the personal device only uses the guest network, which is probably sandboxed with no access to PII/PHI and other confidential data. In the past, universities have been notoriously poor in protecting customer data and in the current climate could face large HIPAA or PCI-DSS fines/penalties if customer data is breached. Considering they also administer an FFRDC, the SLAC National Accelerator Laboratory, I'm surprised they haven't been stricter prior to this. The answer is pretty simple. If you feel these measures could violate your privacy, then don't use your personal equipment to access Stanford-classified PII/PHI. And don't put your personal data on university-owned equipment. As an employee using Stanford's equipment or accessing customer data, you do not have the same expectation of privacy as a student. Michele Chubirka On 1/26/14 5:36 AM, Rich Kulawiec wrote: > On Sun, Jan 26, 2014 at 01:20:20AM -0800, Tomer Altman wrote: >> To Liberation Tech: >> >> Stanford is implementing a new security policy detailed here: >> >> http://ucomm.stanford.edu/computersecurity/ > > First, if they were serious about security, they wouldn't be using > Microsoft products. > > Second, backdooring end-user systems en masse provides one-stop shopping > to an attacker. > > Third, "locating PII on systems" is not a solved problem in computing, > and for anyone to pretend otherwise is, at best, disengenuous. Not > only that, but anyone who's been paying attention to the re-identification > problem knows that non-PII is quite often just as sensitive. > > Fourth, the simultaneous requirement that systems be backdoored > and searchable while their disks are encrypted strongly suggests > that they intend to have a central repository of encryption keys. > > Fifth, the requirement for use of centralized backup also provides > one-stop shopping to an attacker. > > Bottom line: this isn't about security, it's about control and monitoring. > > ---rsk > -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
