Data and Document Standards - Shared Responsibility

• The NDSU IT Division
• Distributed IT if applicable
• Third Party Providers if applicable
• The NDSU Staff, Faculty, and Students

Security Stakeholder responsibilities	System where institutional data is processed, handled, stored, or created
	Systems centrally managed by the IT Division	Online platforms/ third party services/ online apps regardless of cost	Systems managed by the department
IT Division	Follow industry best practices to secure systems and data.	Perform a security review according to the security requirements provided by the administrator who owns the data or contracts the service. Provide Single Sign On or central authentication service if applicable.	Provide general security guidance without specifics. Provide Single Sign On or central authentication service if applicable.
Leadership (Division, department, unit, or other)	Understand leadership’s share of responsibility for securing the data entrusted to them. Understand leadership’s responsibility for keeping systems secure. Understand leadership’s regulatory responsibility covering data, for instance, FERPA, GLBA, CMMC, NDCC, etc. Ensure staff are aware of their regulatory, security, and privacy responsibilities and enforce them. Ensure staff do not use institutional platforms to store, process, or create employee personal sensitive data. Follow records management policy and regulations: https://kb.ndsu.edu/99178 Ensure the departmental IT professionals or support staff are aware of their security responsibilities and enforce them: https://kb.ndsu.edu/118216 Manage access when employees start, depart, or their duties change to ensure employees have access only to functions and data needed for their duties. Alert the IT Division of any security issues.	Understand leadership’s share of responsibility for securing the data entrusted to them. Understand leadership’s responsibility for keeping systems secure. Understand leadership’s regulatory responsibility covering data, for instance, FERPA, GLBA, CMMC, NDCC, etc. Ensure staff are aware of their regulatory, security, and privacy responsibilities and enforce them. Follow records management policy and regulation: https://kb.ndsu.edu/99178 Ensure the departmental IT professionals and/or support staff are aware of their security responsibilities and enforce them: https://kb.ndsu.edu/118216 Alert the IT Division of any security issues. Ensure that departmental IT professionals and/or support staff maintain working knowledge of contemporary security practices. Contact IT for a security and contract review before procurement and at renewal. Ensure staff only use approved platforms to store, process, or create institutional data. Ensure their third party providers follow security best practices.	Understand leadership’s share of responsibility for securing the data entrusted to them. Understand leadership’s responsibility for keeping systems secure. Understand leadership’s regulatory responsibility covering data, for instance, FERPA, GLBA, CMMC, NDCC, etc. Ensure staff are aware of their regulatory, security, and privacy responsibilities and enforce them. Ensure staff do not use institutional platforms to store, process, or create employee personal sensitive data. Follow records management policy and regulations: https://kb.ndsu.edu/99178 Ensure the departmental IT professionals and/or support staff are aware of their security responsibilities and enforce them: https://kb.ndsu.edu/118216 Manage access when employees start, depart, or their duties change to ensure employees have access only to functions and data needed for their duties. Alert the IT Division of any security issues. Ensure that departmental IT professionals and/or support staff maintain working knowledge of contemporary security practices.
Staff	Understand their share of responsibility to safeguard the entrusted data. Follow appropriate security practices to access the data/service/platform. Some examples are: use only approved platforms, create a secure unique password, do not reuse passwords, and be aware of phishing. Use institutional resources for official business only, etc.	Understand their share of responsibility to safeguard the entrusted data. Follow appropriate security practices to access the data/service/platform. Some examples are: use only approved platforms, create a secure unique password, do not reuse passwords, and be aware of phishing. Use institutional resources for official business only, etc.	Understand their share of responsibility to safeguard the entrusted data. Follow appropriate security practices to access the data/service/platform. Some examples are: use only approved platforms, create a secure unique password, do not reuse passwords, and be aware of phishing. Use institutional resources for official business only, etc.
Departmental IT Professional	Recognize that IT security is part of every IT Professional duties. Understand their responsibility to aid the department in safeguarding the entrusted data and systems. Stay current with security best practices. Support the department and ensure that security best practices are followed. Alert the IT Division of any security issues.	Recognize that IT security is part of every IT Professional duties. Understand their responsibility to aid the department in safeguarding the entrusted data and systems. Stay current with security best practices. Support the department and ensure that security best practices are followed while using third party services.  Alert the IT Division of any security issues.	Recognize that IT security is part of every IT Professional duties. Understand their responsibility to aid the department in safeguarding the entrusted data and systems. Stay current with security best practices. Support the department and ensure that security best practices are followed. Alert the IT Division of any security issues. Follow the Zero Trust Model. Understand the responsibilities of distributed IT personnel https://kb.ndsu.edu/118216 Implement all basic requirements found in NIST 800-171 Rev. 2 on every system managed by the department. Assess and Implement any necessary derived requirements found in NIST 800-171 Rev. 2 on any system managed by the department. Implement systems in accordance with NDSU and NDUS policy. Stay current with any vulnerabilities that may affect departmental systems and patch accordingly or implement recommended mitigation.  Actively participate in relevant professional groups on campus, especially IT Technical Professionals and the Cybersecurity Group.

Data and services at NDSU are on a "Need To Know" basis, meaning that an individual should only have access to the data and services that are necessary to complete their work or the task at hand.

• Access should only be granted to individuals that need the access.
• Access should be removed as soon as possible, once that access is no longer required.
• Reviews of access to data or services should be done annually.

Services and Data are to be used securely and properly.

Comply with Federal, State, and local laws, regulations and policies.

• Acceptable Use and Policies

• Protect Yourself and Others - Secure your Accounts
• Protect Yourself and Other - Safe Computing

• Traveling Abroad with Electronic Devices 

Use of Personal Devices: 

• Personal devices must never be used to access or store sensitive NDSU data.
• Protect Yourself and Others - Lock Your Computer

• The use of Personal Accounts to access services or data at NDSU is not permitted. Using a non-vetted account for NDSU related business could potentially open that account to North Dakota Open Records laws, as well as put the data generated or stored on that account in danger of being compromised.

Storage

Data typically has to be stored in order to be viewed, manipulated, and used for its intended purpose. Storage should be secure and access to data should be authenticated and authorized, to maintain integrity, authenticity, and accuracy.

• File Storage and Sharing

Reporting a Breach or Compromise

Breaches occur, they can be due to a misconfiguration, an undisclosed vulnerability of software, a click on a link in an email, or someone entering credentials into a page that looks like a proper login page. When these breaches are discovered it should not be a source of embarrassment or shame, instead it should be reported as soon as possible to make sure that mitigation occurs as soon as possible.

When a breach is discovered please report it to ndsu.itso@ndsu.edu

Please include:

• A description of what data was possibly breached.
• When it was noticed or reported.
• If it was reported, please give the original documentation of the report.
• Who is responsible for the data or service.
• What kind of monetary or reputation damage this breach could incur.
• Please provide an indication of how the breach could have occurred.
• If there is any log data, please include that data.