Educause Security Discussion mailing list archives

Re: Securing Data in SaaS Applications

From: Ruth Ginzberg <rginzberg () UWSA EDU>
Date: Thu, 15 Feb 2018 22:18:01 +0000

Hi Cyndie,

Procurement person here...

This is a great set of questions - ones that you should discuss internally with other stakeholders at your institution. 
 The thing that matters most is that everybody is on the same page and knows who is doing that, so that it doesn't 
accidentally turn out to be, "Mr/Ms. Nobody!"

Regards,


Ruth Ginzberg, CISSP, CTPS
Sr. I.T. Procurement Specialist
University of Wisconsin System
608-890-3961

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cyndie 
Holmes
Sent: Thursday, February 15, 2018 4:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Securing Data in SaaS Applications

The vendor completed the HECVAT and a university is purchasing a SaaS service. Now what? 

Trying to determine who has the responsibility for ensuring contracts or SLAs contain language that protects the 
institution's data. The owner (academic department or business function), procurement, IT, or Legal? Someone else?

If the contract or SLA contains sufficient protection for the institution's data, who monitors the vendor for 
compliance with the contract or SLA data security controls?

How are data security controls monitored if the contract or SLA contains no language for customer monitoring? Who 
monitors?

Thanks

Current thread:

Securing Data in SaaS Applications Cyndie Holmes (Feb 15)
- Re: Securing Data in SaaS Applications Ruth Ginzberg (Feb 15)
  - Re: Securing Data in SaaS Applications Sue McGlashan (Feb 15)
    - Re: Securing Data in SaaS Applications Santucci, Anthony (Feb 16)
    - Re: Securing Data in SaaS Applications Ronald King (Feb 22)
    - Re: Securing Data in SaaS Applications Ruth Ginzberg (Feb 22)
    - Re: Securing Data in SaaS Applications Holmes, Cyndie (Mar 01)