Re: SaaS responsibilities

[Todd Britton <tbritton () LAVERNE EDU>]

Hi Thomas,

                We too are struggling with this same issue. I would appreciate to know the answer as well.

Todd Britton, Ed.D.
PMP, CSM, CISM, CRISC, ITILv3F, MCSE, CGEIT
Assistant Vice President, Information Technology
Facilities and Technology Services Division
University of La Verne
Direct: 909-448-4124
tbritton () laverne edu<mailto:tbritton () laverne edu>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Friday, August 28, 2015 10:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] SaaS responsibilities

Here, as I'm sure is happening everywhere, SaaS usage is exploding across campus. We in IT are struggling with forming 
policies around such usage and our responsibilities around those services. I would appreciate input in how others are 
handling this SaaS hydra. Does IT track all external services used? Does IT have the rights and/or information and/or 
responsibility for administration of these services? Does IT have any right of refusal for possibly insecure or 
unvetted services? Does IT have any other applicable policies such as SSO requirements, etc?

We're struggling with issues like when an employee leaves, how can we make sure they no longer have access to any 
school resources when some of those only reside in the cloud? Or when we don't even know about the service? How do we 
make sure a chosen solution integrates well into the rest of our environment when we may not be involved in the 
selection process?

I appreciate any answers, advice, or suggestions you can offer.

Thomas Carter
Network & Operations Manager
Austin College