Stolen personal laptop may have Memorial University student info
Technorati Tag: Security Breach
Date Reported:
2/5/08
Organization:
Memorial University
Contractor/Consultant/Branch:
None
Victims:
Students
Number Affected:
150
Types of Data:
"private information"
Breach Description:
A personal laptop computer was stolen from the home of a Memorial University professor while he was out of town that may have contained sensitive personal information belonging to students of the school.
Reference URL:
Memorial University new release
Report Credit:
Memorial University
Response:
From the online sources cited above:
Email Message from Newsline:
As you may know from a MUN Today article, a laptop stolen from a Memorial professor's home may have led to a breach of private information.
The professor, on returning home from an out of province trip on Jan. 18, discovered that his home had been burglarized and a laptop stolen.
The laptop was stolen sometime between Jan. 15-18, 2008.
the laptop computer may have contained students' personal information
Mr. Burns used the personally-owned laptop occasionally for university-related purposes and reports that it may have contained class lists from: Business 1000, Section 2 and Section 4, which were taught in the fall 2006 semester; and Business 7302 which was taught in the fall 2007 semester.
[Evan] A personally-owned laptop? It is good information security practice to prohibit the use of personal computers to access business information resources. This is a unnecessary and often unacceptable risk.
While Mr. Burns could not confirm that the information from those courses was actually on the stolen laptop, the university has decided to contact all 150 students who may have been affected to advise them of the possible breach.
As a result of this possible breach of students' personal information and as the privacy officer for Memorial, I want to remind all faculty and staff that they must secure all personal information (of students, employees, alumni, donors, research subjects and others) against unauthorized access.
[Evan] OK, how?
we are reminding all faculty and staff at the university, and anyone who teaches at the university and who may handle private information, to use password protection and/or data encryption on all laptops and removable media devices
[Evan] "and/or" encryption?! No, no, no. Information security policy must be cut-and-dry whenever possible. Remove the "/or" and you may have something.
“If you are not sure how to set a password for your laptop or other storage device, consult an IT support person who can assist you. As well, ask about data encryption to further secure personal information.”
[Evan] "If you are not sure" (meaning users) then you need training! It is our job as information security personnel to train the users and communicate with them regularly (awareness) about what is expected of them. This comment is way too wishy-washy for me.
Since last spring, Memorial's Information Access and Privacy Protection (IAPP) office has been developing a privacy strategy and privacy compliance tools for the university, with the assistance of a privacy consultant.
The report, together with findings and recommendations, compliance tools, and draft policy and procedures, are available on the IAPP website www.mun.ca/iapp.
Finalizing policy, procedures and planning for implementation of most of the recommendations is now under way.
We remain confident that the information that may have been exposed by this theft was minimal and cannot lead to further problems for the students affected
Commentary:
Poor practice that contributes to a increased risk involved in this breach:
#1 - DO NOT allow the use of personal computers (or equipment). Personal computers are typically not tested, not built with standard OS images, and lack the security controls in place on organization-owned equipment.
#2 - AVOID "and/or" statements wherever possible in security directives. "And/or" implies ambiguity, where security needs certainty.
#3 - DO NOT expect users to seek out security best practices. Security needs to be brought to them through regular training and awareness.
Past Breaches:
Unknown
Date Reported:2/5/08
Organization:
Memorial University
Contractor/Consultant/Branch:
None
Victims:
Students
Number Affected:
150
Types of Data:
"private information"
Breach Description:
A personal laptop computer was stolen from the home of a Memorial University professor while he was out of town that may have contained sensitive personal information belonging to students of the school.
Reference URL:
Memorial University new release
Report Credit:
Memorial University
Response:
From the online sources cited above:
Email Message from Newsline:
As you may know from a MUN Today article, a laptop stolen from a Memorial professor's home may have led to a breach of private information.
The professor, on returning home from an out of province trip on Jan. 18, discovered that his home had been burglarized and a laptop stolen.
The laptop was stolen sometime between Jan. 15-18, 2008.
the laptop computer may have contained students' personal information
Mr. Burns used the personally-owned laptop occasionally for university-related purposes and reports that it may have contained class lists from: Business 1000, Section 2 and Section 4, which were taught in the fall 2006 semester; and Business 7302 which was taught in the fall 2007 semester.
[Evan] A personally-owned laptop? It is good information security practice to prohibit the use of personal computers to access business information resources. This is a unnecessary and often unacceptable risk.
While Mr. Burns could not confirm that the information from those courses was actually on the stolen laptop, the university has decided to contact all 150 students who may have been affected to advise them of the possible breach.
As a result of this possible breach of students' personal information and as the privacy officer for Memorial, I want to remind all faculty and staff that they must secure all personal information (of students, employees, alumni, donors, research subjects and others) against unauthorized access.
[Evan] OK, how?
we are reminding all faculty and staff at the university, and anyone who teaches at the university and who may handle private information, to use password protection and/or data encryption on all laptops and removable media devices
[Evan] "and/or" encryption?! No, no, no. Information security policy must be cut-and-dry whenever possible. Remove the "/or" and you may have something.
“If you are not sure how to set a password for your laptop or other storage device, consult an IT support person who can assist you. As well, ask about data encryption to further secure personal information.”
[Evan] "If you are not sure" (meaning users) then you need training! It is our job as information security personnel to train the users and communicate with them regularly (awareness) about what is expected of them. This comment is way too wishy-washy for me.
Since last spring, Memorial's Information Access and Privacy Protection (IAPP) office has been developing a privacy strategy and privacy compliance tools for the university, with the assistance of a privacy consultant.
The report, together with findings and recommendations, compliance tools, and draft policy and procedures, are available on the IAPP website www.mun.ca/iapp.
Finalizing policy, procedures and planning for implementation of most of the recommendations is now under way.
We remain confident that the information that may have been exposed by this theft was minimal and cannot lead to further problems for the students affected
Commentary:
Poor practice that contributes to a increased risk involved in this breach:
#1 - DO NOT allow the use of personal computers (or equipment). Personal computers are typically not tested, not built with standard OS images, and lack the security controls in place on organization-owned equipment.
#2 - AVOID "and/or" statements wherever possible in security directives. "And/or" implies ambiguity, where security needs certainty.
#3 - DO NOT expect users to seek out security best practices. Security needs to be brought to them through regular training and awareness.
Past Breaches:
Unknown
Posts Atom 1.0
Comments