Tag Archives: legal requirements

Think Purposefully, Act Knowledgably

A recent tweet by Microsoft (MS) referenced a long-standing free file-hosting website the company supports called DOCS.COM.  File-hosting websites are provided by online vendors (such as MS and Google) as a place where individuals may post personal electronic files and documents, often for the purpose of making them available to the general public.

The post on Twitter linked to a page on Microsoft’s website which included this information:


What is Docs.com?
Docs.com is an online showroom where you can collect and publish Word documents, Excel workbooks, PowerPoint and Office Mix presentations, OneNote notebooks, PDF files, and Sways. With Docs.com, it’s easy for you to share with others what interests you, and your content looks great on any device. 

Can I use my Office 365 account with Docs.com?
Yes. You can use your work or school account to use Docs.com, or you can choose to use a personal Microsoft account — an email address and password that you use to sign in to services like Sway, Outlook.com, Skype, OneDrive, and Xbox Live. If you prefer, you can also sign in to Docs.com with a Facebook account.


As indicated in the article, it appears as though MS has recently extended the permissions to log into and use this website intended for the storage of personal  files to the credentials used by those schools using Office 365 (O365).  Because we are an O365 customer, this means it is possible to use your Bellevue College (BC) login to post documents to DOCS.COM.

This is not necessarily an issue for students who wish to use DOCS.COM for personal documents to supplement the online storage and electronic document sharing capabilities provided by the college through Microsoft’s OneDrive.

However, DOCS.COM is NOT, and I want to repeat this, NOT an authorized location for the storage of any electronic college documents by BC employees, despite the fact that you can access it with college credentials.  The use of the website has not been deemed compliant with FERPA and other campus information security requirements.

It is becoming an increasingly challenging issue in higher education that college employees with access to data and information protected by law (such as FERPA and HIPAA) are copying some of that information to personal file-hosting websites (such as DropBox, Box, DOCS.COM, etc.) without regard as to whether that cloud storage resource meets the information security requirements for the data.  Sadly, many people don’t even take the security of the data into consideration at all; they simply copy it anywhere that makes it more convenient to work with.

It is of utmost importance that each of us think purposefully and act knowledgably  when it comes to the information or data we work with on a daily basis.  Always protecting electronic information is of the highest priority.

The only authorized cloud repository of protected electronic Bellevue College data at the time of this writing is a college-provided OneDrive space or SharePoint Online file storage space (being rolled out soon!), unless a specific exception has been authorized through a Data Sharing Agreement (I’ll discuss these more at a later time).

Despite these services being sanctioned repositories, it is still critical that individual users of these authorized resources are cognizant of how they are sharing or providing access for others to the electronic files and data stored in them.

If you are not certain whether you can share electronic college information with someone, or whether you can store it somewhere, check with your supervisor.  If they are not certain, you or they can contact the Technology Service Desk for assistance, or let me know.

Safe Computing!

Beware Humans with Computers!

At a recent presentation to state risk managers in Olympia, representatives of the law firm BakerHostetler, which includes a number of attorney’s who specialize in resolving information security data breach issues, identified that cyber attacks using Phishing and Malware  was the cause of 31% of the more than 300 data security incidents the firm handled nationwide in 2015.  This is not much of a surprise given the recent increases in the number of these types of attacks.

The second highest category identified at 24% was Employee Action/Mistake, which includes failures of employees to follow organizational policies resulting in a data breach.

Interestingly, the next highest causes of data losses include other categories which also have significant ties to how authorized users interact with information technology and the data stored and manipulated with that technology.  These include: Loss or Theft of a Device (17%); Vendor/ Contractor Actions (14%); Internal Employee Theft (8%); and Lost or Improperly Disposed Data (6%).

These statistics show that the human component of data protection is significantly more important with regard to modern IT security issues than is the technology component.

The underlying source of ALL of these top kinds (92%) of data breaches can easily be attributed to the authorized users of the compromised data and either a deliberate disregard for organizational policies or a lack of information security awareness on their part.

Clearly, it is important for each of us to understand that we each need to constantly protect the college data we access during the course of our daily work, and to ask questions of our supervisors when we are not certain how best to do that.

The college has published a number of policies and procedures related to technology use by college employees and the protection of college data.  Here are links to a few of those current documents:

Take some time this week to update yourself on the information in these important documents and, as always:  Safe Computing!

Sharing login information

Recent increases on campus of individual Bellevue College computer and/or network users sharing their account information with others, including their login name and/or password, has motivated this reminder to the campus regarding the seriousness with which such “sharing” is viewed. 

To make certain we are absolutely clear on its definition, in this context “sharing” includes not only giving someone your user name and password, it also includes logging into a computer and allowing another person to use that computer.  It does not matter whether the person might otherwise or eventually be authorized to use that computer, it is still prohibited.  

Login names and passwords

Account names and passwords are used on campus computers for two basic reasons:

  • First, they help secure the technology resources and provide computer and network access only to those who have been legally authorized. 
  • Second, they provide individual accountability for how those resources are used.

Two Bellevue College policies, Policy 5150: “Acceptable Use of  Networks and Systems” and Policy 5000: “Acceptable Use of Bellevue College Computers”, state that college computer and network users are specifically prohibited from allowing ANYONE to use a network account name or password assigned to them. 

In some circumstances, unauthorized access to or use of college computers may constitute a breach of security which triggers policy-based or legal requirements for the college to notify students and others (including the community as a whole) of a potential breach of their FERPA privacy rights or of their confidential and or sensitive protected information.

Potential for embarrassment

Not only is sharing account information against policy, it is simply one of the most risky behaviors a computer user can do.  Anyone with your account name and password can do anything they want on the computer or network/Internet and it will appear to have been done by you.  Imagine the embarrassment created by sharing your account information if the individual you shared it with uses it inappropriately: 

  • If they want to harass someone on line?  No problem, the authorities will come looking for you. 
  • Perhaps they want to download inappropriate materials?  The investigation will point back to you. 
  • Maybe they want to send an embarrassing e-mail to the college President or a Trustee.  Or anyone. No sweat; everyone will come looking for you.

These are just a few of the possibilities.  Certainly, in the majority of cases those individuals who are sharing your account information may do nothing inappropriate.  But all it takes is one irresponsible or malicious person and you become the focus of much unwanted attention.

Personal and confidential

Your login name and password are personalized credentials, just like your driver’s license—they represent you on-line at Bellevue College and to the wider Internet.  They are also a security tool, similar to car or house keys.  While most of us would never think it appropriate to hand someone else our driver’s license and car keys to use simply because they didn’t have their own, we often don’t give a second thought to sharing account information.

The sanctions for an individual sharing their account name and password, or by using someone else’s shared account information, are very serious.  They may include loss of computer privileges, denial of future access to college technology resources, or other disciplinary actions, up to and including dismissal from the college.

Please help Information Resources continue to keep the college networks and computers working as a viable business and educational tool by protecting your login account name and password and ensuring that you are the only one using those credentials. 

Individuals who are authorized college technology users can create their own login and password through the Net-ID website using their Systems ID number (SID), Personal ID number (PIN) and date of birth (DOB).  If you need assistance getting someone authorized to use Bellevue College technology resources, please feel free to contact the Help Desk by e-mail,  through Request Center, by phone (x4357), or to contact me.

Copyright law and file sharing

Just a short post today, as I try to get out some links to basic information security material out to the campus.

The college has a legal obligation to provide notice annually to campus users regarding the sharing of electronic copies of copyrighted materials.  While the law (related to the federal Higher Education Opportunities Act) specifically addresses  notification to students, the college policies related to copyright apply to all employees and other users of campus technology, as well.

Because of a responsibility to post this notification in a public place, an extensive Knowledge Base article is available at http://depts.bellevuecollege.edu/helpdesk/students/file-sharing/ which everyone on campus should read.

As always, if you have any information security concerns, ideas or questions, please feel free to contact me.

Purposes of this site

Information security program

In addition to providing a channel for ongoing communication regarding information security at the college through this blog, this website is also the repository for some of the documents which are part of the official information security program. 

Today a new link is posted on the top menu which allows users to see the current information security standards.  Along with college policies and procedures, these standards address how the college ensures secure interactions will take place within specific aspects of the college’s technical working environment.

The college’s information security standards are categorized as either:

  •  TECHNICAL, which usually is only of interest to those IT support personnel on campus providing technical support in the specific areas addressed in the standard, or
  • GENERAL, which is of interest to all users on campus.  These standards provide guidelines regarding how the security of information must be maintained by all technology users and how campus technology may be accessed and used.

All information security standards will be numbered (generally in accordance with the domains established under ISO/IEC standard 27002, if you are interested in the tedious details).  General  standards will have just a number and those that are technical in nature will be appended with a letter “T.”

As of this posting, there are no standards listed on the page yet.  All information security processes on campus are undergoing revision during the next few months and approved updated versions of the standards will be posted as they are approved.

(Though they are out of date and reflect many expectations and processes that are no longer in effect, the old security standards may be accessed at: http://commons.bellevuecollege.edu/itsecurity/old-standards/)

Five Important Security Concerns for Employees

The items listed below seem to be the source of the most consistent confusion and questions, particularly with regard to individual employee responsibilities and expectations regarding information security.

All employees have expected roles securing the valuable information available for use on campus and the technology with which we access it.   In the interest of saving some time, I am including only fairly brief bullet points regarding these five areas of particular concern; if you have further questions regarding this or any other information security topic, please feel free to contact either myself or the Help Desk (x4357).

Every Bellevue College employee should understand:

1- Login accounts and passwords providing access to Bellevue College IT resources should not be shared. 

In some cases, groups of individuals may share access to an e-mail account acting as a central unit contact resource for business purposes, but such shared e-mail accounts may never be used to log into computers or the college network.

Individuals should also never allow anyone else to use a computer into which they’ve logged-in.  This is not only a security risk for the network, it is an individual identity protection measure as well.  If someone else is logged in as you, everything they may do online appears to be your doing. 

2- Bellevue College policies require that employees secure their workstations if they leave the immediate area

This may mean logging out and shutting down the computer in some cases, but most of the time locking the screen and requiring a password to unlock it is sufficient.

3- Electronic data is subject to the same privacy restrictions as non-electronic information and data, and requires the same protections. 

Protection of sensitive electronic data collected and used at the college is the primary purpose for implementing information security measures.   

  • Caution always needs to be used to ensure that protected college data is not unintentionally disclosed through e-mail, instant messaging, the web, blogs or podcasts.   The physical security of protected data saved to any storage media (tapes, disks, USB drives or hard drives), especially  data stored on college laptop computers, is of the highest concern at all times.
 4- All communications through the college network is logged (recorded in a database), and is publically-disclosable information.

This does not mean individual activities are monitored on a routine basis, but it does mean that Bellevue College has an obligation to produce all network records when legally required (either in response to a public records request, to civil litigation, or in a criminal investigation).  In the case of on-going investigations, this could include real time monitoring, as directed by the HR VP.

A significant aspect of the public nature of college electronic communication is the use of e-mail.  All e-mail is potentially disclosable in response to a legal or public disclosure request. A good rule of thumb is not to put something into an e-mail that you would be uncomfortable with being subsequently published in a newspaper. 

5- All software and technology hardware used at Bellevue College must be properly licensed and processed through Computing Services (CS) for records and auditing purposes.

  • The civil and financial liability to the college and to individuals related to using improperly licensed software is significant, as much as $100,000 for each individual incident!   

    In the case of college-owned technology, this requirement for keeping records includes any hardware and software, whether purchased by unit funds, college funds or professional development funds.

    Personally-owned or purchased software and hardware may be installed on campus, but the same guidelines for licensing apply.  In the case of personally-owned hardware, requirements exist for testing for compatibility with the existing BC technology and network, and for proper security configuration.


These points obviously do not cover all aspects of IT security on campus, but they are perhaps the five areas most misunderstood and most easily remedied by employees.  If everyone on campus understands these issues and follows the guidelines and procedures related to them, information security on campus can be significantly increased.