Topics Map > Services > Security > Data and Document Standards

Data and Document Standards - Shared Responsibility

Protecting and Securing Data at NDSU is a Shared Responsibility.

The data and IT resources at NDSU are protected by a shared responsibility model. This model defines the responsibilities of:

  • The NDSU IT Division
  • Distributed IT if applicable
  • Third Party Providers if applicable
  • The NDSU Staff, Faculty, and Students
 
Shared Responsibility Table
Security Stakeholder responsibilities System where institutional data is processed, handled, stored, or created
Systems centrally managed by the IT Division Online platforms/ third party services/ online apps regardless of cost Systems managed by the department
IT Division
  • Follow industry best practices to secure systems and data.
  • Perform a security review according to the security requirements provided by the administrator who owns the data or contracts the service.

  • Provide Single Sign On or central authentication service if applicable.
  • Provide general security guidance without specifics.

  • Provide Single Sign On or central authentication service if applicable.
Leadership (Division, department, unit, or other)
  • Understand leadership’s share of responsibility for securing the data entrusted to them.

  • Understand leadership’s responsibility for keeping systems secure.

  • Understand leadership’s regulatory responsibility covering data, for instance, FERPA, GLBA, CMMC, NDCC, etc.

  • Ensure staff are aware of their regulatory, security, and privacy responsibilities and enforce them.

  • Ensure staff do not use institutional platforms to store, process, or create employee personal sensitive data.

  • Follow records management policy and regulations: https://kb.ndsu.edu/99178

  • Ensure the departmental IT professionals or support staff are aware of their security responsibilities and enforce them: https://kb.ndsu.edu/118216
  • Manage access when employees start, depart, or their duties change to ensure employees have access only to functions and data needed for their duties.

  • Alert the IT Division of any security issues.
  • Understand leadership’s share of responsibility for securing the data entrusted to them.

  • Understand leadership’s responsibility for keeping systems secure.
  • Understand leadership’s regulatory responsibility covering data, for instance, FERPA, GLBA, CMMC, NDCC, etc.

  • Ensure staff are aware of their regulatory, security, and privacy responsibilities and enforce them.

  • Follow records management policy and regulation: https://kb.ndsu.edu/99178

  • Ensure the departmental IT professionals and/or support staff are aware of their security responsibilities and enforce them: https://kb.ndsu.edu/118216

  • Alert the IT Division of any security issues.

  • Ensure that departmental IT professionals and/or support staff maintain working knowledge of contemporary security practices.

  • Contact IT for a security and contract review before procurement and at renewal.

  • Ensure staff only use approved platforms to store, process, or create institutional data.

  • Ensure their third party providers follow security best practices.
  • Understand leadership’s share of responsibility for securing the data entrusted to them.

  • Understand leadership’s responsibility for keeping systems secure.

  • Understand leadership’s regulatory responsibility covering data, for instance, FERPA, GLBA, CMMC, NDCC, etc.

  • Ensure staff are aware of their regulatory, security, and privacy responsibilities and enforce them.

  • Ensure staff do not use institutional platforms to store, process, or create employee personal sensitive data.

  • Follow records management policy and regulations: https://kb.ndsu.edu/99178

  • Ensure the departmental IT professionals and/or support staff are aware of their security responsibilities and enforce them: https://kb.ndsu.edu/118216

  • Manage access when employees start, depart, or their duties change to ensure employees have access only to functions and data needed for their duties.

  • Alert the IT Division of any security issues.
  • Ensure that departmental IT professionals and/or support staff maintain working knowledge of contemporary security practices.

Staff
  • Understand their share of responsibility to safeguard the entrusted data.

  • Follow appropriate security practices to access the data/service/platform. Some examples are: use only approved platforms, create a secure unique password, do not reuse passwords, and be aware of phishing.
  • Use institutional resources for official business only, etc.

  • Understand their share of responsibility to safeguard the entrusted data.

  • Follow appropriate security practices to access the data/service/platform. Some examples are: use only approved platforms, create a secure unique password, do not reuse passwords, and be aware of phishing.
  • Use institutional resources for official business only, etc.

  • Understand their share of responsibility to safeguard the entrusted data.

  • Follow appropriate security practices to access the data/service/platform. Some examples are: use only approved platforms, create a secure unique password, do not reuse passwords, and be aware of phishing.
  • Use institutional resources for official business only, etc.

Departmental IT Professional
  • Recognize that IT security is part of every IT Professional duties.

  • Understand their responsibility to aid the department in safeguarding the entrusted data and systems.

  • Stay current with security best practices.

  • Support the department and ensure that security best practices are followed.

  • Alert the IT Division of any security issues.
  • Recognize that IT security is part of every IT Professional duties.

  • Understand their responsibility to aid the department in safeguarding the entrusted data and systems.

  • Stay current with security best practices.

  • Support the department and ensure that security best practices are followed while using third party services. 

  • Alert the IT Division of any security issues.
  • Recognize that IT security is part of every IT Professional duties.

  • Understand their responsibility to aid the department in safeguarding the entrusted data and systems.

  • Stay current with security best practices.

  • Support the department and ensure that security best practices are followed.

  • Alert the IT Division of any security issues.

  • Follow the Zero Trust Model.
  • Understand the responsibilities of distributed IT personnel https://kb.ndsu.edu/118216

  • Implement all basic requirements found in NIST 800-171 Rev. 2 on every system managed by the department.
  • Assess and Implement any necessary derived requirements found in NIST 800-171 Rev. 2 on any system managed by the department.

  • Implement systems in accordance with NDSU and NDUS policy.

  • Stay current with any vulnerabilities that may affect departmental systems and patch accordingly or implement recommended mitigation. 

  • Actively participate in relevant professional groups on campus, especially IT Technical Professionals and the Cybersecurity Group.

Access

Data and services at NDSU are on a "Need To Know" basis, meaning that an individual should only have access to the data and services that are necessary to complete their work or the task at hand.
  • Access should only be granted to individuals that need the access.
  • Access should be removed as soon as possible, once that access is no longer required.
  • Reviews of access to data or services should be done annually.
Please see Identity and Access Management - Get Started to find directions on how to grant, remove, and review access to storage, services, and websites that you may be the owner of.

Usage

Services and Data are to be used securely and properly.
Comply with Federal, State, and local laws, regulations and policies.
Follow Guidelines by IT Security:
Use of Personal Devices: 
Use of Personal Accounts:
  • The use of Personal Accounts to access services or data at NDSU is not permitted. Using a non-vetted account for NDSU related business could potentially open that account to North Dakota Open Records laws, as well as put the data generated or stored on that account in danger of being compromised.
Network Protections:
  • IT Security scans the network for vulnerable systems, this scan will NOT find insecure configurations, open ports, or default usernames and passwords, Individuals will NEED to make sure that the computers they support are properly configured, firewalled, and default usernames and passwords are changed.    
    • IT Security will attempt to notify individuals those individuals that use the devices before blocking.
    • The computers will be flagged and in two weeks the computer will be blocked.
    • Critical Vulnerabilities or Computers that can be compromised easily and have a critical rating will be blocked immediately.  
    • High Vulnerabilities or Computers that have a high rating will have a notification sent to owners. 
  • The network is monitored for unusual traffic patterns, and will be blocked if unusual traffic is occurring. 

Storage

Data typically has to be stored in order to be viewed, manipulated, and used for its intended purpose. Storage should be secure and access to data should be authenticated and authorized, to maintain integrity, authenticity, and accuracy.

Reporting a Breach or Compromise

Breaches occur, they can be due to a misconfiguration, an undisclosed vulnerability of software, a click on a link in an email, or someone entering credentials into a page that looks like a proper login page. When these breaches are discovered it should not be a source of embarrassment or shame, instead it should be reported as soon as possible to make sure that mitigation occurs as soon as possible.
When a breach is discovered please report it to ndsu.itso@ndsu.edu
Please include:
  • A description of what data was possibly breached.
  • When it was noticed or reported.
  • If it was reported, please give the original documentation of the report.
  • Who is responsible for the data or service.
  • What kind of monetary or reputation damage this breach could incur.
  • Please provide an indication of how the breach could have occurred.
  • If there is any log data, please include that data.


Keywordssecurity, data and document standards, shared responsibility   Doc ID103813
OwnerJeff G.GroupIT Knowledge Base
Created2020-07-09 09:36:48Updated2024-01-10 11:40:47
SitesIT Knowledge Base
Feedback  0   0