Welcoming new members & data policies for clinics
Our February gathering was our largest yet. We were thrilled to welcome faculty and staff to our discussions from cybersecurity programs at the University of Washington, Cleveland State, Clemson University, and the Universidad Católica del Perú (expanding our international membership). We were able to connect with many of our newer participants through joint engagement with the Public Interest Technology University Network.
This month's discussion centered on a best-practice sharing conversation about policies and technical infrastructure that protect the privacy and security of both clients and students during a clinic engagement. Each clinic needs to have an instructor, teaching assistant, or other staff person who is responsible for OpSec. Depending on the risk of the clinic’s target client demographic, individual clinics will elect different technical infrastructure and policies to protect student and client anonymity - for example, using VPNs, providing students with dedicated laptops and phones for client engagement, anonymizing client identities in class projects and written materials, among other measures. For managing data and communication risks between clients and clinics, Consortium members have been developing a framework that prompts new clinics to decide on policies and practices that address: Confidential data sharing, Access controls, Data protection (at rest, in use, and in transit), and Endpoint protection. Just a few examples of the questions that clinics need to solve before they launch include: What are the procedures for how faculty and students handle sensitive client data? What level of encryption is needed? How will the work product and final report from the clinic to client be stored and used by the school? Under what circumstances, and how, should client data be anonymized during and after an engagement?
Reach out to us at info@cybersecurityclinics.org to join the conversation!