Data and Document Standards - Shared Responsibility
Protecting and Securing Data at NDSU is a Shared Responsibility.
The data and IT resources at NDSU are protected by a shared responsibility model. This model defines the responsibilities of:
- The NDSU IT Division
- Distributed IT if applicable
- Third Party Providers if applicable
- The NDSU Staff, Faculty, and Students
Data and services at NDSU are on a "Need To Know" basis, meaning that an individual should only have access to the data and services that are necessary to complete their work or the task at hand.
- Access should only be granted to individuals that need the access
- Access should be removed as soon as possible, once that access is no longer required
- Reviews of access to data or services should be done annually
Services and Data are to be used securely and properly.
Comply with Federal, State, and local laws, regulations and policies
Follow guidelines by IT Security
Work securely away from your desk
Use of personal devices
- The use of Personal Accounts to access services or data at NDSU is not permitted. Using a non-vetted account for NDSU related business could potentially open that account to North Dakota Open Records laws, as well as put the data generated or stored on that account in danger of being compromised.
- IT Security scans the network looking for servers and vulnerable systems in order to prevent those systems from becoming compromised
- Critical Vulnerabilities or Computers that can be compromised easily and have a critical rating will be blocked immediately
- IT Security will attempt to notify individuals those individuals that use the devices before blocking
- High Vulnerabilities or Computers that have a high rating will have a notification sent to owners
- The computers will be flagged and in two weeks the computer will be blocked
Data typically has to be stored in order to be viewed, manipulated, and used for its intended purpose. Storage should be secure and access to data should be authenticated and authorized, to maintain integrity, authenticity, and accuracy.
Reporting a Breach or Compromise
Breaches occur, they can be due to a misconfiguration, an undisclosed vulnerability of software, a click on a link in an email, or someone entering credentials into a page that looks like a proper login page. When these breaches are discovered it should not be a source of embarrassment or shame, instead it should be reported as soon as possible to make sure that mitigation occurs as soon as possible.
- A description of what data was possibly breached
- When it was noticed or reported
- If it was reported, please give the original documentation of the report
- Who is responsible for the data or service
- What kind of monetary or reputational damage this breach could incur
- Please provide an indication of how the breach could have occurred
- If there is any log data, please include that data