« A Light At The End Of The Tunnel?
Why I Love The Internet, Reason #2 »

Trust But Verify

18th April 2008, 06:31 am

Oh, the many ways that organizational information can be lost. Insiders, outsiders, mistakes, malicious actions, theft, loss, the list seems to going on and on. Yet, one area that tends to be overlooked quite often is contracted third-parties. However, as several colleges and universities have found out recently, third-party actions can have serious consequences for the campus community.

What am I talking about? Well, thus far in April several institutions have had confidential information lost and/or stolen from a trusted third-party. The University of Miami notified 47,000 patients after backup tapes were stolen from an off-site storage company. Northwest Missouri State University, Buffalo State College and four Connecticut State University System campuses have had to alert 1,100, 16,000 and 3,400 students respectively after a laptop belonging to a vendor was stolen.

As show above, as well as at the end of a previous post, third-party loss of college/university information is not unknown within higher education. As more and more educational institutions reach out to third-party companies for support and development, more internal information will be traveling outside of the institution’s control. Colleges and universities should start looking at ways to control this risk by placing control requirements into vendor agreements.

Some of the controls that should be considered are time limits on how long the information can be stored by the vendor, limitations on how many vendor employees and/or copies of the data can exists, as well as controls on data protection such as requiring encryption on portable equipment. One of my personal favorites is to ask vendors for a copy of internal security control procedures/policies as well as asking about what employee (at the vendor) is responsible for the safety and security of the information they are requesting.

We need to stop blinding trusting our vendors and make sure that they have controls in place to properly handle an incident and minimize the effects of a data breach/loss/theft when it occurs. After all, it is not a question of if by when such an event will happen to your institution.

Category: Higher Ed, Security  |  Comment (RSS)  |  Trackback

Leave a comment

Spam protection by WP Captcha-Free