Educause Security Discussion mailing list archives
Security for vendors that manage student data
From: "Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU>
Date: Wed, 7 Aug 2019 14:03:06 +0000
Hi all, When you are evaluating a 3rd party vendors to process/manage your student data, specifically if you are transferring the data to them in a feed/file transfer, what security requirements do you require or look for in the MSA for that company? I have a checklist that external counsel and I created years ago, looking for a handful of specific things. One of them is specifically: 12. Do you have external evaluation of your systems, processes, and/or code (that deals with our student data) by qualified security assessors (Penetration Testing, 3rd party code review, SOC2 analysis, etc) If the company responds with 'No', I am very cautious about the company. It does not necessarily mean we won't use them, but I do explain to the department my reservations. I wanted to get thoughts from the group on if you do something similar when evaluating Master Service Agreements for your University? -Jonathan ~ Jonathan Kimmitt CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E Chief Information Security Officer Information Technology The University of Tulsa 918.631.2743 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Security for vendors that manage student data Kimmitt, Jonathan (Aug 07)
- <Possible follow-ups>
- Re: Security for vendors that manage student data Brad Judy (Aug 07)
- Re: Security for vendors that manage student data King, Ronald A. (Aug 07)