Data and Document Standards - Shared Responsibility
The data and IT resources at NDSU are protected by a shared responsibility model. This model defines the responsibilities of:
- The NDSU IT Division
- Distributed IT if applicable
- Third Party Providers if applicable
- The NDSU Staff, Faculty, and Students
Security Stakeholder responsibilities | System where institutional data is processed, handled, stored, or created | ||
---|---|---|---|
Systems centrally managed by the IT Division | Online platforms/ third party services/ online apps regardless of cost | Systems managed by the department | |
IT Division |
|
|
|
Leadership (Division, department, unit, or other) |
|
|
|
Faculty and Staff |
|
|
|
Departmental IT Professional |
|
|
|
Access
- Access should only be granted to individuals that need the access.
- Access should be removed as soon as possible, once that access is no longer required.
- Reviews of access to data or services should be done annually.
Usage
- Personal devices must never be used to access or store NDSU sensitive data.
- Protect Yourself and Others - Lock Your Computer
- The use of Personal Accounts to access services or data at NDSU is not permitted. Using a non-vetted account for NDSU related business could potentially open that account to North Dakota Open Records laws, as well as put the data generated or stored on that account in danger of being compromised.
- IT Security scans the network for vulnerable systems, this scan will not find insecure configurations, open ports, or default usernames and passwords, Individuals will need to make sure that the computers they support are properly configured, have proper firewall configurations, and default usernames and passwords are changed.
- IT Security will attempt to notify individuals that use devices that have vulnerabilities before blocking.
- The computers will be flagged and in ten days the device will be blocked.
- Critical Vulnerabilities or devices that can be compromised easily and have a critical rating will be blocked immediately.
- High Vulnerabilities or devices that have a high rating will have a notification sent to owners.
- The network is monitored for unusual traffic patterns, and will be blocked if unusual traffic is occurring.
Storage
Reporting a Breach or Compromise
- A description of what data was possibly breached.
- When it was noticed or reported.
- If it was reported, please give the original documentation of the report.
- Who is responsible for the data or service.
- What kind of monetary or reputation damage this breach could incur.
- Please provide an indication of how the breach could have occurred.
- If there is any log data, please include that data.