Educause Security Discussion mailing list archives
Vendors, the Internet and PII
From: "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Date: Wed, 18 Nov 2009 16:29:45 -0500
Hi, I just had a sys admin call me because his department wants to use a 3rd party vendor who makes web forms and processes PII data. The cost is $300 a year. The prospective students would enter their data (including PII), the 3rd party vendor would provide the forms, and then transmit the data back to the campus record keeping application, creating a file. The form would be in https, and the transmission would be encrypted, according to my admin. Now, when we give somebody $30,000 or $300,000 to process our work, I would think nothing of asking for some IT Security controls assurance (being allowed to audit, SAS-70 t2, etc.) But when you're giving them your PII and only paying $300, what would be reasonable assurance? We have an E-Commerce group, so I sent him there for guidance, but I was curious what the group thought. My instinct is to require the same controls I would if they were processing credit card transactions, but how to prove they are in place and effective is a question I have. Thanks, :: Daniel Sarazen, Senior Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 774-455-7558 :: 781-724-3377 Cell :: 774-455-7550 Fax :: Dsarazen () umassp edu <mailto:Dsarazen () umassp edu> University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu <http://www.massachusetts.edu/>
Current thread:
- Vendors, the Internet and PII Sarazen, Daniel (Nov 18)
- <Possible follow-ups>
- Re: Vendors, the Internet and PII Doug Markiewicz (Nov 19)