| |
|
|
IT Security Updates
Privacy & Security Training
By Dan Jones
Information privacy and security training is available through CUConnect for all university employees who are entrusted with protecting university IT resources. To access this course, which focuses on how to protect sensitive data, follow these steps:
- Log into cuconnect.colorado.edu with your IdentiKey
- Select Training from the MyCU links on the Welcome tab
- Click on the My Training tab
- Select Click here for SkillPort - CU's Online Learning tool
- Select CU Learning Programs under the shortcuts menu
You can expect the training to take about 30 minutes.
As supervisors, we have the responsibility to ensure that our employees understand that they are each entrusted with protecting sensitive information in addition to protecting campus computing and networking resources. While the information security training is required for all faculty and staff, student employees who handle sensitive data should also take the course. It is up to supervisors and appointing authorities to determine which of their student employees handle sensitive data (such as student information) and then ensure that these employees avail themselves of this training course. As a supervisor, you can verify training completed by your employees by:
- Logging into cuconnect.colorado.edu with your IdentiKey
- Select Training from the MyCU links on the Welcome tab
- Click on the My Training tab
- Check the training history for your employees (located at the bottom of the page)
Did you know?
 Did you know that when you open or copy a file from a file server, the contents of the file are sent across the network in plain text? This means that others connected to the network can view the transmitted information. For example, if you copy a spreadsheet containing names, social security numbers, and birthdates from your laptop to a server over a wireless network, another wireless user could capture and view that data.
It is for this reason that it is recommended that you always use the campus VPN when connected to your fileserver over the wireless network. The campus is also working to mitigate this risk by providing an encryption suite called PGP that will encrypt data when it is stored on the computer and when it is sent over the network. Additionally, ITS is evaluating blocking the type of traffic used for fileservers from the campus wireless networks.
What to ask before signing up for third party services
Software as a service (Saas), application service providers (ASP), consulting, or other outsourced IT services are often required for supporting campus administrative, academic, and/or research efforts. Before entering into an agreement with such third party IT services, there are a variety of items to consider in addition to cost. Considerations regarding third party contracts include:
- Are all parties clear about the provided service? While this seems obvious, expectations are often vague or ambiguous. Explicit, clearly-stated expectations for the third party are necessary prior to signing a contract; otherwise you are likely to waste time and budget.
- How do you get out of the agreement? Any agreement must clearly define what is required for you or the third party to terminate the service. In addition to termination considerations, you should be fully informed regarding the maximum duration of the agreement, and the criteria for gaining access to your intellectual property or university data if the agreement is terminated.
- What are the defined responsibilities of the third party regarding the protection of your intellectual property or the university’s data? Are there additional fees if it is necessary to audit access to the third party systems or service, or to restore data from a backup?
- Are you authorized to sign the agreement? In most cases, term of service agreements are considered legally binding contracts and, as such, can only be signed by a legal representative of the university.
- Is the language of the contract acceptable to the state of Colorado? Many contracts have language that is contrary to Colorado statutes; for example, third party contracts often have language for indemnification or a hold harmless provision. However, Colorado state statutes oppose accepting this language, except in rare cases.
- What happens if the third party changes the terms of service? A significant change could have negative consequences to the university’s internal processes.
- Do the service levels meet your own requirements for internal processes? For example, if your internal processes would be damaged if service were unavailable for 24 hours, the agreement should reflect a level of service that guarantees a response time and remedies that would address your needs for higher availability.
- Do you have authorization to post the content? Defining who the copyright holder is and/or what processes need to occur to lawfully obtain copyright is important; e.g., obtaining student approval before posting a class video project.
- How is data protected? Consider the case of hosting university discussions on a third party system. The discussions most likely are considered a university record and have to be protected appropriately. In most instances, the information should be maintained on a university-owned or university-controlled system. The term "controlled" can either mean that it is physically located and managed locally, or control could be in the form of an explicit contract. If the campus does not have a service capable of supporting a particular business need, then a third party option may be appropriate. This option must still meet all campus requirements regarding adequate protection of the data, which means establishing a contract with the third party to appropriately articulate what data might be classified, restricted, and/or private and how the date will be protected. Campus standards are posted on the IT Security web pages (www.colorado.edu/itsecurity) and you are encouraged to contact the IT Security Office for additional guidance.
In the following cases, the Campus IT Security Office should work with you to ensure that the third party service or contract meets both your needs and our campus standards:
.
|
