Secure.IT - Ensure Effective Security Controls

collect

Getting ready to send data to a vendor or sign a contract? With more and more services moving to the cloud, higher education institutions have an additional obligation to ensure that third parties are protecting our most sensitive information. If you or your department is looking to purchase or adopt a service or technology that uses institutional data, it is imperative that you include information technology at the beginning of the project or contract process to help ensure that data are properly protected. To determine whether or not IT should be involved in the vendor/contract process, ask yourself the following questions:

  • Does the project (and in-scope technologies) involve the handling or storage of personal data (e.g., student data, employee data, donor data, research data, or financial data)?
  • Does the project (and in-scope technologies) involve the handling or storage of personal data that is regulated by government entities or has special contractual obligations to a third party (e.g., contract sponsored for research)?
  • Is there transfer of any institutional data from an institution-owned system or device to a third-party vendor-contracted system or device?
  • Does the project involve acquiring/implementing/developing software, services, or components that your institution has not previously deployed?
  • Does the project involve providing a new data feed to an existing campus partner?
  • Does the project involve accepting card payments in any way?

If the answer to any of the above questions is "yes," collaborate with Information Services at the beginning of the project to ensure that institutional data are properly protected.