Educause Security Discussion mailing list archives

Re: Data Governance Role Based Access questions

From: Ray Phillips <phillips () UMN EDU>
Date: Thu, 25 Jul 2019 15:24:01 -0500

Hi Michael,

UMN recently developed the attached questions for vendors, adapted from the
BTAA questionnaire. The questionnaire is divided into a limited set of
initial screening questions, then a more extensive set for finalists.

Question DS12 on the Finalist tab deals with RBAC. If the finalist's
response is insufficient and the security level of the service warrants it,
we may schedule a followup call with a technical contact at the vendor to
get more info.

Ray

On Thu, Jul 25, 2019 at 2:58 PM Menne, Michael S <michael.menne () mnsu edu>
wrote:

Good afternoon all,

As we continue to strengthen our third party evaluations and monitoring
practices, we have started to ask more questions regarding role based
access (AAA) rather than just security. The HECVAT has a few questions
regarding AAA, but it is pretty light.



We would like to know more about the role based security access controls
available within applications / services in addition to the security
protections in place. We are trying to understand who has access to the
data we are putting into these systems and how they are consuming it.



Does anyone have anything they can share that would access more about
access controls as part of a vendor / software evaluation?



Thank you



*Michael Menne, CISSP*

*Chief Information Security Officer*

*IT Solutions Information Security*

*Minnesota State University, Mankato*

*Phone:  (507) 389-5705*



*Shop Safe Online. **Learn More. <https://link.mnsu.edu/shopsafeonline>*



[image: cid:image001.png@01D341A0.236300E0]



*Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all copies
of the original message.*



-- 

Ray Phillips
Security Risk Analyst, CISA
University Information Security | OIT
University of Minnesota | umn.edu
phillips () umn edu | (612) 626-0568

Attachment: _UMN Information Security Questions for Purchasing IT Solutions_Services.xlsx
Description:

Current thread:

Data Governance Role Based Access questions Menne, Michael S (Jul 25)
- Re: Data Governance Role Based Access questions Ray Phillips (Jul 25)