I've just received a
letter from my Chair announcing the latest "must do" from VPIT Jonathan Schaeffer. Apparently there are concerns that "personal or sensitive information" is at risk of being lost from mobile devices such as laptops, tablets, phones, and memory sticks. Typical of these pronouncements is the extrapolation of "personal or sensitive information" to "University information", and then basically to everything:
All University mobile computing devices must be encrypted and protected in accordance with this procedure. (Laptop Security and Encryption Standard and Guidelines)
Caught up in the net also are "Personally owned and other external laptops storing University personal and/or sensitive information".
Phase one, starting immediately, is encryption of laptops; other devices will follow. Enjoy.
Posts
And this will be enforced how?
ReplyDeleteExactly, Blither; it can't be enforced, but it provides administration with another rod to beat us if we screw up, and more importantly for them, a policy they can point to to deflect blame and defend against litigation.
ReplyDeleteThis seems to be yet another case of a blanket policy being used to solve an isolated problem, probably restricted to administrative units handling personnel files, and medical or social science researchers and practitioners who handle personal data. Such people probably already use encrypted hardware.
Another detail is the expectation that we must have the latest computers and operating systems ("Laptops and other mobile computing devices must run a current, fully patched, and modern operating system at all times."). When the University pays for my computing equipment and software, this might be a reasonable expectation.
I think its just to protect themselves in case someone finds data and tries to sue the university. The university can then say they had this rule and the individual is personally liable because they didn't follow it.
ReplyDeleteMaybe Jonathan should change his title from VP (IT) to VP (CYA).
ReplyDeleteAs with most policy written at the university it takes no account of implementation. If the policy writer had to also write the implementation plan along with funding sources for the plan there would be much less policy [probably a good thing] but there would be more effective policy [definitely a good thing]
ReplyDeleteAnd then when you access Google Mail you get a note saying to be sure to log out so the whole university doesn't read your e-mail.
ReplyDeleteIt is not clear why this policy elicits such derision, indeed, it seems like common sense to me. I encrypt all of my own "sensitive" information (for me, that includes perhaps trivial data, like a list of my old addresses), and would expect that someone else holding onto my information would take a reasonable amount of care with it. Is this uncommon? One might liken it to storing paper copies of personal information at home in a safe or a hidden drawer (i.e., relatively safe from a burgler), or shredding documents before putting them out in the trash.
ReplyDeleteWhy should this effort not be afforded to sensitive information of others? My simple test is: "if someone steals my laptop/memory stick, would there be any serious consequences if the data were taken by someone who knew what to do with it." In my opinion, if I have data of others, I should probably go the extra mile to ensure that this data is safe.
Encryption isn't so onerous in this day and age. In graduate school (admittedly, not so long ago for me), I had colleagues who regularly encrypted their entire laptops using what seemed to me to be relatively easy to use, free software.
As for enforcement: Presumably admin thinks that this policy is reasonable, and envisions that as professionals (as opposed to, say, small children), there is no need for a carrot or a stick for implementation. Perhaps some of us would prefer to be treated like children? (that last is in jest!)
Actually, Isotopic, you miss the point (and I don't think you jest) — many of us would prefer to be treated like responsible adults, which means being provided with advice and then trusted to do what is appropriate. People handling sensitive data have an additional obligation, as reflected in ethics approvals etc., so formal policies in those areas makes sense. But beyond that this seems like an unnecessary catch-all policy designed purely for risk management purposes.
ReplyDeleteIf the issue truly was as globally important as admin makes it out to be, then there would indeed be enforcement. As anyone who knows anything about governance knows, laws and policies without enforcement are worthless (except as an arse-covering measure).
Jeremy, unfortunately most academic's job is not to know what best practices are, nor to know what the legal landscape is. In other words, you as academics are all focused on your research (and some perhaps on teaching as well). You are definitely (as a collective) not focused on how those marks, SIDs, Names, Addresses, possibly birth dates, etc are being stored and managed.
ReplyDeleteA simple point is made by the fact that you seem to imply that having un-patched, not up to date software (and by transitivity hardware to run it on) is acceptable. If you wish to be treated as a professional, either recognize the limits of your professional abilities and knowledge, and defer to the advice and policies set within your organization by people tasked with that job, or man up to learning the threat landscape that exists. In other words, you're either a professional in this field, or you're a consumer/end-user.
Also, your argument with respect to someone forcing you to upgrade or spend money on these upgrades: That is the cost of doing business. Your cost of doing business in this case. Factor total cost of ownership into a computer, or other purchase, before you commit. Just as you would go talk to your insurance agent about how much it would cost to insure that Ferrari, making sure you can afford to operate the thing, so should you do the same for computers, etc.
Also, just FYI, the policy contains these words: "Non-compliance with this policy constitutes misconduct and may be handled under the applicable collective agreements, University policy, or law." So if the university wishes, there is plenty of "amo" or "stick". Of course, policing and detection are another matter. But as a professional, this should not be an issue...
Seriously, I well understand the money issue. We also have old equipment. Things I would *love* to have tossed years ago. This is just another nail in the coffin for such pieces of relic. While I don't doubt that the VP-IT would love to have all their policies in effect and operational right now, I do believe they are largely reasonable people, with reasonable goals. If you as a professional have a documented plan in place that accomplishes the memo's spirit within a reasonable timeframe, I'd be surprised if they (vp it) would have issues with it.
Toby, I appreciate your argument about professionalism, as we should all be concerned about the security of information. I didn't understand (or might just disagree with) your other points. You seem to be agreeing with Jonathon's implied assumption that faculty are responsible for understanding, purchasing and updating all the technology required for that to be in place. Yet, as you point out, how many academics have the time and knowledge to keep on those things? Also, why should faculty be required to calculate all the costs before committing? I can see that if the computer is part of a major research grant, but a lot of the use is for teaching service as well as research, which is the University's cost of doing business. Not mine. Unless you want me to drop my faculty position and take one as a support staff to do this work.
ReplyDeleteDo we have clear and legal descriptions and definitions of “personal”, “sensitive” or “corporate” information that is to be protected under this new policy? I can’t see such definitions in the “University Encryption Standards and Instructions”, dated December 2011. This is a pretty useless and unenforceable policy until such things are clarified!
ReplyDeleteThis is yet another push down on our time and budgets. Can I assume that the encryption will 1) not slow my computer processing time, 2) work flawlessly with all of my various software (> 50 programs), 3) not require me to buy new software, 4) have the full support required from the IT people in my department, 5) be compatible with my virus program. I have little idea what constitutes "sensitive" or "personal" information. As near as I can tell, all such things are now held on the crappy Moodle e-class system that won't let me "electronically" submit my marks and currently, won't let late joining students access. Another downloading pronouncement from above. I have decided I won't keep any "sensitive" information on my computer. I'm going to get a paper register and write down all the information and then scan it for submitting marks (just kidding on the register - not kidding about the "sensitive" information).
ReplyDeleteAnon 7:27
ReplyDeleteYes, exactly. I guess student ID #'s are, but what about my grant speed codes? Letters of recommendation? Performance evaluation documents without addresses or ID numbers?
I asked our IT staff about this, they promised more clarity forthcoming (issues over specific scenarios that are not mentioned in the policy etc.). Their plan is to initiate this with hardware currently capable and then hopefully allow for older items to just die off and disappear. When asked on the definitions & descriptions, they just shrugged and said, we'll just encrypt the stuff, then not worry about it. Though on the way out, they mused at how there is documents and information acceptable and NOT acceptable to store on Google (Docs), which they concluded best not to use a service at all if you have to carve up information being stored on it. Either a service is trustworthy or it is not.
ReplyDeleteThank you for the feedback. While I support many of Jonathan's ideas and general directions, I definitely do have specific issues with many of them. Mr. Anonymous (yes, *that* anonymous) has hit the nail on the head with one of them. Not having a specification of the data, and the nature of its sensitivity makes much of this policy hard to enforce. I would hope that feedback (which I'll admit I've yet to give myself to the VP-IT office on this policy) would be accepted, evaluated, and eventually incorporated into the next version/copy of the policy. So I say send Gordie your comments.
ReplyDeleteAs for the "other Mr. Anonymous", I'll answer your question this way:
1) yes, not appreciably, and if it does, the computer needs to be upgraded
2) unknown, do you need to keep sensitive material with all those programs?
3) unknown, depends on what the software is/does
4) you'd have to ask your department IT people. I would hope so, but I do know that many department IT shops are streched beyond the limit.
5) Is your virus program up to date software wise? Or is this one of the "do I have to purchase new software" parts you allude to? If it's up to date, chances are it'll be fine. If not, chances are it (the anti-virus software) is being actively used to exploit your computer.
To the "that Mr. Anonymous", yes, some pieces have been identified as being "private" or sensitive. I guess in part the question can be answered in the following way. Would you want the world, your students, your banker, the CRA, your next potential employer, and the nasty Script Kiddie down the street to know any of these pieces of information about you? If the answer is "no", then definitely protect the data (even if it is about/for someone else) to the best of your ability. Note, that was an implication, if -> then.
This is a perfectly reasonable policy - we should be careful and responsible for the personal data we carry around. In addition it is one being forced on the university by the province (as the VPIT documents mention) so we also do not have a choice.
ReplyDeleteAt the same time since my laptop is primarily for research (it was purchased from research funds) I do not want to have the full disk encryption methods they mention since this is notorious for slowing down I/O operations, particularly when running analysis code that is CPU-intensive.
So, instead, I'd suggest that people look at http://www.truecrypt.org/. This lets you create a secure, encrypted volume where you can just put the files which need to be secured - in my case mainly course grades and reference letters. It works with Mac, Linux and Windows and in fact is the recommended solution for Linux from the VPIT website. You can also do the same with a native Mac using an encrypted disk image created via the "disk utility" app (which is what I intend to do). This way there is zero interference with my research apps and only the information which needs to be encrypted is. I found a more detailed description of "sensitive" information on the VPIT website and, perhaps I'm hopelessly naive, but I expect that if I make a good faith attempt to ensure that sensitive data is encrypted I will be covered even if it does not meet the precise legal definition because I'm a scientist not a lawyer.
So yes it is a pain, yes it does take time out of our busy schedules but at the same time in an age of increasing data theft it is not an unreasonable policy for the university to have and for us to follow.
Thanks Anon @ 10:24 am — very helpful suggestions.
ReplyDeleteYes, thanks. Although, I do have to say there is something fundamentally wrong with the policy when we are left having to rely on an anonymous poster on a Blog to tell us the best way to ensure proper security for our data!!
ReplyDeleteTell me, Toby: how exactly is it that you happen to know that the anonymous contributors to whom you refer are Misters?
ReplyDeleteOur IT person told us today to "encrypt when in doubt". Hmmm... I'm not in doubt so I should be good - business as usual.
ReplyDeleteThis issue also raises an interesting point - the University does not provide computers yet it is pretty clear that we need computers to do our job. I don't see how the University can ask us to impair the primary function of our computers to encrypt "data" that should never be stored on our own computers anyway. With Moodle, Google and such, can't we just leave the sensitive data on such sites? Did our VP ensure that Google is 100% secure and encrypted and that Moodle (which contains a lot of private information) is also encrypted. Sorry but I can imagine the issues when my SAS statistical package crashes due to some new glitch.
Apologies, I shall refer to them as the gender neutral term of "it" from now on. Definitely didn't mean to offend. Hope and beg for forgiveness on such a thoughtless blunder on my part.
ReplyDeleteThis is a typical "Risk avoidance" policy from Central Admin... create a policy that covers the University's arse (thanks Jeremy) but has little or no benefit to the end users. Ill-defined, with no support to implement it, and no way to enforce it. Waste of time.
ReplyDeleteWhat seems to be missing, is show me the problem... For example, how many cases last year where a laptop was stolen, had sensitive data on it, that was used for something nefarious... one, five, twenty?
Then, tell me how many laptops on campus happily went about their business. I predict thousands... Calculate the ACTUAL risk... trivial. Calculate the COST of implementing this policy to avoid the problems... staggering.
This is a CLASSIC UofA "turn my problem into YOUR problem". Admin is worried about FOIP or "damaging their reputation" so they proclaim a ill-conceived, un-enforceable, regressive policy.... nicely inflicting the whole problem on the rest of us (while giving them a policy to waive in front of whomever cares)
As has been said above. For those people who have TRULY sensitive information, they need to manage it, and properly. I bet, most of those people already are, or once made aware of it, will do so now.
Yet another big waste of time.
@Toby, is that sarcasm perchance? Hopefully your comment isn't the usual (and antiquated) jab at "political correctness" that masks an underlying misunderstanding of how to use gender in a grammatically correct way that avoids power-laden assumptions? i.e. there is never a grammatical reason to refer to any person as "it."
ReplyDeleteAnon@12:16 pm wasn't the only one who noticed the marked effort to denote the gender designations (with asterisks and "that" and other unclear modifiers included).
Perhaps, like anyone else, Anon@12:16 pm could've clicked on your user name and found that you are in Systems Analysis and that one of your comments on the UAlberta site is "hacking on my own projects."
https://webapps.cs.ualberta.ca/profile/
'Hacking' carries connotations and may lead people to assume things....hence the query about gendered assignations (maybe...)?? Note: I'm not implying that agency on the part of Anon@12:16! And, hopefully, Jeremy won't have to retract this as it is not an accusation but rather underlining how all of this 'e-security' biz can so easily be caught up with vocabulary/ communicative misunderstandings. You know the old saying about paranoia...
Otherwise, cyber-speaking to people with their designations of simply at Anon@Time or whatever moniker they've provided is pretty much the 21C way to go.
And as usual with anything technical on campus the entire point of the discussion is missed and the conversation gets misguided to being P.C. and theory and all the non-real-world crap during discussions but when it comes to a real-world incident those same people will be screaming "Why didn't you do something about this?"
DeleteNo wonder nothing of use gets done around here...
Anon@8:28, as an academic, at some level I actually agree with you that this a digression from the original purpose of the directive. But that's the point and that's why Schaffer's assumptions are so annoying. Why is the implemention of the mandate being assigned to academics to figure out, as opposed to IT people, who presumably have a lot more expertise than we do and we hired (Or should be hired) specifically to look after these things? To the person who said that it takes time to ensure security but its worth it. Fine, I'll cancel my undergrad classes for this week, and send out an e-mail to all the students to tell them I'm not available because I was ordered to work out the security on all my tech stuff. Or maybe I'll cancel the two doctoral exams I was due to attend and work on this instead. Or write on my annual report, "Sorry, I didn't get that major grant application in but I was ordered to drop it to work out this tech stuff." I mean, what was Schaffer thinking???
ReplyDeleteWhy the assumption on the part of many here that the IT people aren't going to be very involved in facilitating things for those who need to encrypt?
ReplyDeleteThe IT people in my faculty (Arts) are working on a plan, and we were told to expect more info from them early next week.
Anon@9:14, on my part the assumption was because of the way the memo was worded as well as the fact that in some faculties it was circulated directly to faculty without additional info as to how it would be carried out. For me, if it was something like "We're stepping up the encruption and your local IT people will be in touch with you to take care of it" that would have been a totally different ballgame. I think the whole tone and language of the memo show a general disregard for clarity and potential concerns of faculty.
ReplyDeleteAnon@9:58, exactly. This was just dropped on us IT people at the same time, so now we look silly for not having the support in place. On top of that, since the memo was released we have been drip-fed additional technical requirements. For example, there will be a database tracking the encryption status of laptops, and it is your local IT staff's responsibility to keep the status of the laptops in their area up to date.
DeleteWe all knew that this was coming at some point. But it went from very vague future thing to policy seemingly overnight.
I don't understand all the negativity. Do you use a computer? Do you patch the security vulnerabilities (second Tuesday of the month for Microsoft)? Or do you just snarl, "That's a waste of my time" and click the notification away? Are you "no good with computers"? That's no excuse.
ReplyDeleteIf you need help, there is the AICT Helpdesk. And those in Arts can consult the Arts Resource Centre. Your department (like mine, Psychology) may have one or more IT support staff who are there to help you.
Before I was able to get ethics approval for a recent study, I had to explain exactly how I would keep participants' data secure, which included data encryption. That was a bit of a surprise, but it's a reasonable requirement.
The VPIT makes a good case for the use of encryption on laptops. It won't be long before all computers in our offices will have to have encryption. That's OK with me--I've had my credit card information stolen by hackers once, and my financial information was in a laptop that was stolen from the car of someone who works for my financial advisor.
Karsten, I'm glad you have tech support where you live on this campus. Not everyone does. I'm also glad that you have spare time on your hands. I don't.
ReplyDeleteAnonymous @ 11:56pm: won't AICT help you?
ReplyDeleteAnd as for spare time, we all have the spare time to do what's necessary. It's simply a matter of us setting our priorities. And yes, if we are handling sensitive data, it should be a priority to keep that data secure.
"its simply a matter of setting our priorities." Okay. My priroties are set by what counts in my Annual Report. If Jonathon wants to change that, he's welcome to negotiate which other part of my job I get released from. I think its ludicrous that people are so unaware of how overloaded we already are with multiple and often conflicing expectations from a Senior Admin that has no concept of what our Work Lives are really like. Sure, if you have cushy releases from teaching and no real service responsbiilities, its fine for you, but not for all of us.
ReplyDeleteOh, I know! I am reduced to taking the LRT (no time to get gas for my car) and eating in CAB (no time to shop for groceries, much less cook). These 23 hour days are killing me!
Delete