Vendor Wants Access To Institution Database

["Self, Dennis" <dlself () SAMFORD EDU>]

Samford University operates one Banner system for all colleges, eight schools.  Our law school operates an admissions 
product called ACES2.  They offer a server that uploads admissions data into the Banner system with insert and write 
capability.  Of course, this would also give access to read the data.  The data includes demographics for all 
constituents of the institution, that is employees, students and alumni, past and present, as well as admissions and 
general student data.  Further, this includes access to SSN data and test scores (FERPA implications).  To date we have 
not allowed the access.

We are struggling with the decision to allow an outside firm/server to have access to such a vast amount of institution 
data.  I would like to hear if you have dealt with the decision to allow/disallow similar access and your rationale, 
please.

Dennis Self
Director, IT Security & Compliance
Samford University
800 Lakeshore Drive
Birmingham, AL 35229-2293
(205) 726-2692