Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Security for vendors that manage student data

From: "Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU>
Date: Wed, 7 Aug 2019 14:03:06 +0000
Hi all,

  When you are evaluating a 3rd party vendors to process/manage your student data, specifically if you are transferring 
the data to them in a feed/file transfer, what security requirements do you require or look for in the MSA for that 
company?

I have a checklist that external counsel and I created years ago, looking for a handful of specific things.

One of them is specifically:

      12.  Do you have external evaluation of your systems, processes, and/or code (that deals with our student data) 
by qualified security assessors (Penetration Testing, 3rd party code review, SOC2 analysis, etc)


If the company responds with 'No', I am very cautious about the company.  It does not necessarily mean we won't use 
them, but I do explain to the department my reservations.

I wanted to get thoughts from the group on if you do something similar when evaluating Master Service Agreements for 
your University?

-Jonathan


~
Jonathan Kimmitt
CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Previous By Date Next
Previous By Thread Next

Current thread: