Rice University logo
 
Top blue bar image OIT News
Office of Information Technology
 

Where Did our Data Go? Information Security at Rice

Chief Information Security Officer Marc Scarborough at the November Administrators Forum

Chief Information Security Officer Marc Scarborough at the November Administrators Forum

“Where did our data go?” is a question Rice University Chief Information Security Officer Marc Scarborough receives several times each year. When employees transfer to another department or leave the university, their data may also go missing. Scarborough used three different scenarios as case studies during the November Administrators Forum, to help department representatives learn how to avoid data loss in the future.

Problem 1: Individual’s Address as Primary Department Contact

“They were our primary contact for the department. Now that they’ve left, emails sent to the department bounce. We’re hosting a conference next week and have no way to know if people are emailing questions.” In a case like this, explained Scarborough, individual Rice employee addresses have become the point of contact for their department. A better solution is to obtain an organizational account through the OIT Help Desk. For example, registrar@rice.edu is an account that can be used continuously, regardless of which employee is checking and replying to messages for the department. Questions to consider if you do not currently use an organization account include:

How does the department appear to those trying to contact it?

How valuable is that perception?

How hard is it to recover lost messages if an employee leaves?

Problem 2: Forwarded all Mail to External Account, no Backup Copies

“They forwarded all of their Rice email to their personal Google account, and they didn’t save any copies on Rice’s systems. All of that communication data is gone.” Many Rice employees forward copies of their Rice messages to other accounts and the original remains in the university’s email system. But a few people choose to forward all messages to external accounts before they enter the Rice system. No copies can be recovered because none existed within our system. Scarborough sighed, “Rice email can only be backed up if it is in the Rice email system. Even then, we only have the ability to restore about a month’s worth of email. If someone has been deleting their email, or never storing it at Rice in the first place, that email is probably not in our backups. Depending on how long an employee has been operating this way, years of email could be unrecoverable.”

Another factor to consider is the use of email as a backup solution. Many Rice community members “save” data, attachments and notes in various folders within their email account, both inside the Rice system and in external mail systems. Departments that permit their faculty and staff to forward Rice email to external accounts might want to create a “keep a copy at Rice” business practice to safeguard against data loss. Questions to consider include:

How much departmental information do each of us store in our “email file system”?

What happens when that is lost?

Problem 3: Accidental or Intentional Memory Wipe

“The employee completely wiped their system before they left. They deleted departmental data in the process, leaving us without a way to recover the lost files.” Whether accidental or intentional, this type of data loss feels catastrophic. Scarborough says, “If an employee is working on files solely on their system [desktop computer, laptop, notebook] – and many laptop users work this way – if the system isn’t backed up, many things can go wrong. All drives eventually fail, for example. In other cases, employees mistakenly or maliciously delete critical departmental data, leaving no way for the department to recover it. Lost and stolen devices containing data are also subject to this kind of departmental data loss.”

To review the impact of this type of data loss, consider these questions:

How many of us have departmental data that only exists on our personal workstations?

How much is on personal home machines?

How many of us have had a failed drive, either at home or at work?

What impact did it [the failed drive] have? Imagine if someone did that on purpose…

The following best practices can benefit all Rice departments concerned about potential data loss:

Set expectations and have departmental procedures to keep Rice information on Rice-provided solutions, like Storage or Box.com.

Use a departmental or organizational email address as the departmental contact.

If your department allows off-campus email forwarding, require that mail is initially stored at Rice and then forwarded.

Require encryption for all mobile systems used to process Rice data. Use backup software like Crashplan on laptops and other systems that process Rice data.

Make sure departmental exit procedures include protecting Rice departmental data.

 

For further information, or for a consultation on solutions that fit your department’s specific needs, contact the Information Security Office: security@rice.edu.

Comments are closed.