Educause Security Discussion mailing list archives
Re: SaaS responsibilities
From: Tracy Beth Mitrano <tbm3 () CORNELL EDU>
Date: Fri, 28 Aug 2015 18:12:54 +0000
Not that it will explain everything but this might be a start :-) http://er.educause.edu/blogs/2015/2/the-role-of-privacy-practices-in-information-management Tracy On Aug 28, 2015, at 2:02 PM, Ruth Ginzberg <rginzberg () uwsa edu<mailto:rginzberg () uwsa edu>> wrote: Yes, and your Office of Procurement could probably add a few questions to that, such as, What about compliance with records retention requirements? Forensic investigations and e-discovery? Export controls? FERPA? What happens when an employee signs up for a click-thru service of some kind that comes with terms and conditions that violate your state laws, or an agreement that the user and the user’s data will be subject to the laws of some foreign jurisdiction? What if your researcher or staff member is storing HIPAA protected info in some cloud environment that they obtained “for free” (so never even mentioned it to I.T. or to Procurement) and the TOS that they never read allows data mining of your HIPAA data? Etc., etc. Ruth Ginzberg, CISSP, CTPS Sr. I.T. Procurement Specialist University of Wisconsin System 608-890-3961 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter Sent: Friday, August 28, 2015 12:33 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] SaaS responsibilities Here, as I’m sure is happening everywhere, SaaS usage is exploding across campus. We in IT are struggling with forming policies around such usage and our responsibilities around those services. I would appreciate input in how others are handling this SaaS hydra. Does IT track all external services used? Does IT have the rights and/or information and/or responsibility for administration of these services? Does IT have any right of refusal for possibly insecure or unvetted services? Does IT have any other applicable policies such as SSO requirements, etc? We’re struggling with issues like when an employee leaves, how can we make sure they no longer have access to any school resources when some of those only reside in the cloud? Or when we don’t even know about the service? How do we make sure a chosen solution integrates well into the rest of our environment when we may not be involved in the selection process? I appreciate any answers, advice, or suggestions you can offer. Thomas Carter Network & Operations Manager Austin College
Current thread:
- SaaS responsibilities Thomas Carter (Aug 28)
- Re: SaaS responsibilities Todd Britton (Aug 28)
- Re: SaaS responsibilities Ruth Ginzberg (Aug 28)
- Re: SaaS responsibilities Tracy Beth Mitrano (Aug 28)
- Re: SaaS responsibilities Steve Terry (Aug 28)
- Re: SaaS responsibilities Tomo (Aug 28)
- Re: SaaS responsibilities Nick Lewis (Aug 31)
- Re: SaaS responsibilities Joanna Grama (Aug 28)
- Re: SaaS responsibilities Tomo (Aug 28)