Data Security: Student Employee Access

Issue Summary

Across the UMS institutions and functional areas, several processes exist for providing access to student workers who need access to MaineStreet data in order to complete their job responsibilities. This project aims to identify best practices (access profile & procedures, statement of employee and supervisor responsibilities, and confidentiality agreement) for providing access and implement those practices across institutions and functional areas.

January 2022 Proposal Forum

Resources

Data Security: Student Employee Access Proposal

Proposal Forum Presentation Slides presented by Carla DeGraw & Rachel Groenhout

Forum Notes

• This issue has many aspects that came out of the UMS Security Liaisons group.
• There are no specific expectations for security for student employees accessing CS data
• There are also no uniform confidentiality agreements
• Supervisors often log in and turn computer over to student using a generic account
• Students are also given their own accounts with access
• Proposal will create a uniform, formal confidentiality agreement with clear expectations for students and supervisors, including a review of generic accounts.
• Potential future shift from generic accounts to student accounts with an additional profile for access
• Generic accounts work well in terms of not giving student employees direct access, but users cannot be tracked
• New tool available to create new student employee profiles specific to students which would be trackable to an individual. This would also make it easier to audit. We are waiting to hear more on profiles.
• This proposal can increase security and individual responsibility.

Comments & Questions

• Is this related to some generic accounts that are used for different purposes, e.g., text messaging or bulk emailing. 
  • Those are separate and not part of this issue, but not sure if they have anything to do with integrations.
  • Generic accounts assigned to individuals are OK, but what we currently have for student employees are generic accounts not associated with an individual student employee so are not trackable.
• Does any of this apply to grad students who need access?
  • Not in its current design, but scope could expand in the future.
• What future areas might be in scope?
  • Access to additional data systems and additional types of employees. Examples include students who work for at the HelpDesk, or students who need different data access (i.e., not MaineStreet Campus Solutions, but a different system). Current proposal allows us to test this process with a limited scope and may be expanded in the future.

Resources & Research