Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [EXTERNAL]Re: [SECURITY] Standard operations question

From: "Bristol, Gary L." <gbristol () OU EDU>
Date: Thu, 21 Feb 2019 16:35:26 +0000
This would also require a BAA to be established with the Vendor depending on the type of data that they would have 
access too.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of SPolsky@PACC
Sent: Thursday, February 21, 2019 10:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [EXTERNAL]Re: [SECURITY] Standard operations question

Julian, Asking who is "responsible for the account" is, IMHO, a bit ambiguous — and not necessarily the same thing as 
being responsible for the collection, use, processing, and disclosure of personal information done within that account.

A fundamental tenet of data protection and privacy laws is that the entity that collects the information is responsible 
for controlling and securing the information. So even though the department has contracted with an external party 
(presumably with a written contract, and one that addresses data responsibility, liability, and repatriation), 
Northwestern remains responsible for the information. If someone at the third party misuses or inappropriately 
discloses the information, affected individuals would look to Northwestern.

Similarly, managing the account, and granting access, must be controlled by Northwestern; otherwise, it enables the 
third party service provider to have control and grant access to information that Northwestern is responsible to 
safeguard.

Allowing the tail to wag the dog isn’t often a good strategy.

HTH.

Sharon Polsky BIS MAPP
President & CEO — 
AMINAcorp.ca<https://urldefense.proofpoint.com/v2/url?u=http-3A__aminacorp.ca_&d=DwMFaQ&c=qKdtBuuu6dQK9MsRUVJ2DPXW6oayO8fu4TfEHS8sGNk&r=n7xJg_eNKF-qpF5mL-g_1w&m=oW061QOeTFSk_ErAKaoDqcKt9sdLRcxtF1ScOtIegvY&s=UhS8UUVjyQqVdA41SShcUpb7bo9qlY4vYiuq2yu_wUQ&e=>
 — 
@AMINAcorp<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_AMINAcorp&d=DwMFaQ&c=qKdtBuuu6dQK9MsRUVJ2DPXW6oayO8fu4TfEHS8sGNk&r=n7xJg_eNKF-qpF5mL-g_1w&m=oW061QOeTFSk_ErAKaoDqcKt9sdLRcxtF1ScOtIegvY&s=j4D7M-0zEtB01_f_CLk-BMLoeC71hlre52V6EjM70qo&e=>
President — Privacy and Access Council of 
Canada<https://urldefense.proofpoint.com/v2/url?u=http-3A__pacc-2Dccap.ca_&d=DwMFaQ&c=qKdtBuuu6dQK9MsRUVJ2DPXW6oayO8fu4TfEHS8sGNk&r=n7xJg_eNKF-qpF5mL-g_1w&m=oW061QOeTFSk_ErAKaoDqcKt9sdLRcxtF1ScOtIegvY&s=ajqSiENeyguS67cIY9FPPV3wLgNE2ZOFnfXRe1n7sKU&e=>—
 
@PACC-CCAP<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_PACC-5FCCAP&d=DwMFaQ&c=qKdtBuuu6dQK9MsRUVJ2DPXW6oayO8fu4TfEHS8sGNk&r=n7xJg_eNKF-qpF5mL-g_1w&m=oW061QOeTFSk_ErAKaoDqcKt9sdLRcxtF1ScOtIegvY&s=uYMS0mke1L_x6iuXL4TP_B8KNKJg-XDMiKt0xj1eI-U&e=>
Member, Standards Council of 
Canada<scc.cahttp://www.scc.ca/en/news-events/news/2018/iso-standard-will-help-protect-consumer-privacy-online-0> GDPR 
Advisory Committee —  @StandardsCanada 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_StandardsCanada&d=DwMFaQ&c=qKdtBuuu6dQK9MsRUVJ2DPXW6oayO8fu4TfEHS8sGNk&r=n7xJg_eNKF-qpF5mL-g_1w&m=oW061QOeTFSk_ErAKaoDqcKt9sdLRcxtF1ScOtIegvY&s=wTxsZLS4C6rM4f9s8aNeBbkZzNrXk10RpIm06ETG1Ug&e=>
 ‏
PbD — Privacy By Design 
Ambassador<https://urldefense.proofpoint.com/v2/url?u=http-3A__web.archive.org_web_20121012080217_http-3A__privacybydesign.ca_ambassadors_individuals_page_7_&d=DwMFaQ&c=qKdtBuuu6dQK9MsRUVJ2DPXW6oayO8fu4TfEHS8sGNk&r=n7xJg_eNKF-qpF5mL-g_1w&m=oW061QOeTFSk_ErAKaoDqcKt9sdLRcxtF1ScOtIegvY&s=LOfyXK_0IsqDaU9T9OjbyGCwLiBYWr5XCMMH6RVr10I&e=>

On 02 Feb 2019, at 8:41 AM, Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>> wrote:

I would agree that the service owner should be responsible for the account, however, in the spirit of 
'checks-and-balances', i would suggest that the datacenter team routinely 'audit' the account, and the continued need 
for the account with the owning team

On Thu, Feb 21, 2019 at 10:37 AM Julian Y Koh <kohster () northwestern edu<mailto:kohster () northwestern edu>> wrote:
On Feb 21, 2019, at 09:21, Jared Evans <jared.evans () GALLAUDET EDU<mailto:jared.evans () GALLAUDET EDU>> wrote:

A department has gone with a service provided by an external party and has a support contract with them.  This support 
service necessitates a VPN account along with an user account (along with appropriate access control placed upon it).  
While we have created and filed the documentation for this account, who is ultimately responsible for this account 
going forward?

The system owner of the service who has set the justification for the existence of the account or the datacenter team 
which maintains our accounts?


IMO the service owner should be responsible for the account.

--
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
<http://www.it.northwestern.edu/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.it.northwestern.edu_&d=DwMFaQ&c=qKdtBuuu6dQK9MsRUVJ2DPXW6oayO8fu4TfEHS8sGNk&r=n7xJg_eNKF-qpF5mL-g_1w&m=oW061QOeTFSk_ErAKaoDqcKt9sdLRcxtF1ScOtIegvY&s=6lPmswNmAWKHFNMMRYCR0tJPLrnl546ADksViVLuk98&e=>>
PGP Public Key: 
<https://bt.ittns.northwestern.edu/julian/pgppubkey.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__bt.ittns.northwestern.edu_julian_pgppubkey.html&d=DwMFaQ&c=qKdtBuuu6dQK9MsRUVJ2DPXW6oayO8fu4TfEHS8sGNk&r=n7xJg_eNKF-qpF5mL-g_1w&m=oW061QOeTFSk_ErAKaoDqcKt9sdLRcxtF1ScOtIegvY&s=XFATHhfQEPNc_GLnwOyPOCoL3xiSAUxIRs5YQs_Mj6s&e=>>



--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
Previous By Date Next
Previous By Thread Next

Current thread: