Data and Document Standards - Shared Responsibility

Notice: If you are looking for resources on HyFlex teaching, please visit our Teach HyFlex Page

Protecting and Securing Data at NDSU is a Shared Responsibility.

The data and IT resources at NDSU are protected by a shared responsibility model. This model defines the responsibilities of:

  • The NDSU IT Division
  • Distributed IT if applicable
  • Third Party Providers if applicable
  • The NDSU Staff, Faculty, and Students
shared responsibility

Access

Data and services at NDSU are on a "Need To Know" basis, meaning that an individual should only have access to the data and services that are necessary to complete their work or the task at hand.
  • Access should only be granted to individuals that need the access
  • Access should be removed as soon as possible, once that access is no longer required
  • Reviews of access to data or services should be done annually
Please see Identity and Access Management - Get Started to find directions on how to grant, remove, and review access to storage, services, and websites that you may be the owner of.

Usage

Services and Data are to be used securely and properly.

Comply with Federal, State, and local laws, regulations and policies
Follow guidelines by IT Security
Travel securely
Work securely away from your desk

Use of personal devices 
Use of personal accounts
  • The use of Personal Accounts to access services or data at NDSU is not permitted. Using a non-vetted account for NDSU related business could potentially open that account to North Dakota Open Records laws, as well as put the data generated or stored on that account in danger of being compromised.

Storage

Data typically has to be stored in order to be viewed, manipulated, and used for its intended purpose. Storage should be secure and access to data should be authenticated and authorized, to maintain integrity, authenticity, and accuracy.

Reporting a Breach or Compromise

Breaches occur, they can be due to a misconfiguration, an undisclosed vulnerability of software, a click on a link in an email, or someone entering credentials into a page that looks like a proper login page. When these breaches are discovered it should not be a source of embarrassment or shame, instead it should be reported as soon as possible to make sure that mitigation occurs as soon as possible.

When a breach is discovered please report it to ndsu.itso@ndsu.edu

Please include:
  • A description of what data was possibly breached
  • When it was noticed or reported
  • If it was reported, please give the original documentation of the report
  • Who is responsible for the data or service
  • What kind of monetary or reputational damage this breach could incur
  • Please provide an indication of how the breach could have occurred
  • If there is any log data, please include that data