31 October 2006

Sensitive Data on Student Shares

Staff should NOT place material they don't want students to see on network shares that are available to students.

Several years ago the Technical Services Unit set up a student share on the Division’s Network Attached Storage Device (dcenas) so that lecturers, tutors and students in particular Units could share materials. One requirement of the system was that staff could share unit materials among themselves without students being necessarily able to see them. The TSU was convinced at that stage that WebCT or other services provided by ICT Services couldn’t handle the particular requirements of the Units.

Once set up, the facility was left in place so that the lecturers could manage the system without requiring TSU staff intervention.

Recently a student in one of the Units with access to the share discovered several folders within their unit folder containing marks for students. The student was able to open the files and read them. When a directory is created within another directory, by default the new directory inherits the permissions of its parent (permissions allow or deny certain users and groups of users access to read from and/or write to files in the directory). The creator of the directory can change the default permissions to allow or restrict other users’ read and/or write access to the directory. Anyone with the right level of administrative access can change the permissions on a directory to allow or deny access to users.

Staff should not store information they don’t want students to see on drives, shares, or volumes that students can access. The Division and the University have network storage for this purpose that can be shared between specified staff members securely: contact the Division’s helpdesk for further information.

A list of shares or volumes on Divisional servers that students have access to will be circulated to staff so they can assess whether they want to move any of their files to a more appropriate location.