ISO: Do not use Slack for university business
The Information Security Office (ISO) has a message for University of Utah personnel who use Slack for university business: Stop — it’s unacceptable and against U policy.
The U does not have a license for Slack, so the communication and collaboration app is not approved for university business (any activity carried out or undertaken on behalf of the university as part of someone’s responsibilities). It’s also not approved for creating, processing, transmitting, or storing restricted and sensitive data, including protected health information (PHI), personally identifiable information (PII), student records, and potentially, data associated with grants and other contracts, as required by university policy.
Because the university does not have an agreement with Slack, the ISO cannot guarantee that sensitive and restricted data are properly protected.
“[Using Slack] opens the university to a lot of [IT security] risk,” said McKenzie Spehar, a data security analyst for the ISO’s Governance, Risk & Compliance (GRC) team. “And by risk, I mean that the U could suffer a data breach. Restricted or sensitive information could leak out. The university could face legal action and other harmful consequences.”
Additionally, due to a 90-day storage limit, the free version of Slack does not comply with Utah’s Government Records Access and Management Act (GRAMA), which requires the university to provide access to certain records upon request.
Students, student organizations, and others may use Slack for communication and collaboration not related to university business — anything considered public data. Examples of public data include university history, business contact data, information from the Campus Directory, and campus maps and directions.
Any personnel or organizations that purchased Slack licenses for university business should stop using the app immediately and notify the GRC team (firstname.lastname@example.org) to resolve any potential compliance or IT security issues.
Instead of Slack, Spehar said faculty and staff should use Microsoft Teams, which is included in the U’s agreement with Microsoft, for university business.
“Teams is approved for everything besides [payment card industry] PCI data. Slack is only approved for public data,” she said. “If sensitive or restricted data could come up in conversation, it's better to avoid Slack entirely. If it's related to your work at all, it's far better to use Teams.”
Better safe than sorry, she said.
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.