Educause Security Discussion mailing list archives

Re: SaaS responsibilities

From: Tracy Beth Mitrano <tbm3 () CORNELL EDU>
Date: Fri, 28 Aug 2015 18:12:54 +0000

Not that it will explain everything but this might be a start :-)

http://er.educause.edu/blogs/2015/2/the-role-of-privacy-practices-in-information-management

Tracy


On Aug 28, 2015, at 2:02 PM, Ruth Ginzberg <rginzberg () uwsa edu<mailto:rginzberg () uwsa edu>> wrote:

Yes, and your Office of Procurement could probably add a few questions to that, such as,

What about compliance with records retention requirements?  Forensic investigations and e-discovery? Export controls? 
FERPA? What happens when an employee signs up for a click-thru service of some kind that comes with terms and 
conditions that violate your state laws, or an agreement that the user and the user’s data will be subject to the laws 
of some foreign jurisdiction?  What if your researcher or staff member is storing HIPAA protected info in some cloud 
environment that they obtained “for free” (so never even mentioned it to I.T. or to Procurement) and the TOS that they 
never read allows data mining of your HIPAA data? Etc., etc.



Ruth Ginzberg, CISSP, CTPS
Sr. I.T. Procurement Specialist
University of Wisconsin System
608-890-3961

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Friday, August 28, 2015 12:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] SaaS responsibilities

Here, as I’m sure is happening everywhere, SaaS usage is exploding across campus. We in IT are struggling with forming 
policies around such usage and our responsibilities around those services. I would appreciate input in how others are 
handling this SaaS hydra. Does IT track all external services used? Does IT have the rights and/or information and/or 
responsibility for administration of these services? Does IT have any right of refusal for possibly insecure or 
unvetted services? Does IT have any other applicable policies such as SSO requirements, etc?

We’re struggling with issues like when an employee leaves, how can we make sure they no longer have access to any 
school resources when some of those only reside in the cloud? Or when we don’t even know about the service? How do we 
make sure a chosen solution integrates well into the rest of our environment when we may not be involved in the 
selection process?

I appreciate any answers, advice, or suggestions you can offer.

Thomas Carter
Network & Operations Manager
Austin College

Current thread:

SaaS responsibilities Thomas Carter (Aug 28)
- Re: SaaS responsibilities Todd Britton (Aug 28)
- Re: SaaS responsibilities Ruth Ginzberg (Aug 28)
  - Re: SaaS responsibilities Tracy Beth Mitrano (Aug 28)
- Re: SaaS responsibilities Steve Terry (Aug 28)
  - Re: SaaS responsibilities Tomo (Aug 28)
    - Re: SaaS responsibilities Nick Lewis (Aug 31)
  - Re: SaaS responsibilities Joanna Grama (Aug 28)