Software Security Review Q and A

NDSU is entrusted with data from many sources and those stakeholders expect NDSU to exercise the utmost care and protect that data. To safeguard this data’s security and privacy, it is imperative that all software and services undergo security vetting before deployment.

When you ask for Data Fields, what are you asking for?

Almost all data has regulation, policy, or contractual language that applies to it, such as ND open records or FERPA. To ensure the software or online service complies with those requirements, it’s crucial to understand the types of information the system will receive, process, create, store, or transmit.

The detailed list of data fields that the review requester provides is used by IT Security to determine whether the third party provider has adequate security and privacy as required by the specific regulation that applies to the data. Because of this, security reviews are based on the combination of the system to be contracted and the data the system will handle.

To ensure the software or online service maintains compliance with rules, regulations, and laws, it’s crucial to understand the types of information you, as the user, will input. how the system will processes that information, and what information is expected in the output.

Data fields can be but are not limited to:

  • Name
  • Email Address, Physical Address, Phone Number, etc... 
  • Lab data (Be aware of any Contract or Grant Languages)
  • Financial information
  • Interviews, Transcriptions of Interviews (Some regulation that may apply: FERPA, IRB ) 
  • Recordings
  • Education records. In summary, any information about a student as defined by FERPA
  • Notes of meetings
  • Images 
  • Assessments or Evaluations
  • Surveys
  • etc... 

Listed below are various regulations and laws, along with some examples of specific data fields that require enhanced security measures and careful examination when being entered into software or online services.  

  • North Dakota Century Code Chapter 51-30 - Security Breach Notifications
    • Provides information on what data fields, if breached on a system or service used by an entity in the state of North Dakota, require the department to notify breached individuals 
      • Social Security Numbers
      • ND Drivers License Number
      • ND Non Drivers License  ID Number
      • Financial Information (bank account number, credit card number, financial security code or password)
      • Date of Birth
      • Mothers Maiden Name
      • Medical Information
      • Health Insurance Information
      • Employee Identification Number 
      • Digital or Electronic Signatures
  • Family Education Rights and Privacy Act (FERPA)
    • Almost any information related to students, with exception of directory information. FERPA defines an “education record” as records that are directly related to a student and that are maintained by an educational agency or institution or a party acting for or on behalf of the agency or institution
       
    • Examples include but are not limited to:
        • Class Schedules
        • Class location and time
        • Student Work
        • Student Grades
        • Disciplinary Records
        • Financial Aid Information
        • Student Employment Records 
        • Social Security Numbers
  • Graham-Leach-Biley Act (GLBA)
    • GLBA requires protecting any information that a financial institution gets from or about a customer when providing a financial product or service. In NDSU’s case, it is any information that is used for financial aid purposes.
  • If you are party to a contract or grant related to the software or online service, it is essential to understand how your information is to be protected under the terms of that agreement. We also require this information to ensure compliance and protection.   

 



Keywords:
Software Security Review Questions and Answers Data 
Doc ID:
137995
Owned by:
Jeff G. in NDSU IT Knowledge Base
Created:
2024-06-19
Updated:
2024-07-16
Sites:
NDSU IT Knowledge Base