As a reminder, University Policy 808, the Protection of University Data and Information, requires that all members of the community take appropriate precautions to protect the privacy of information entrusted to our care.
University Policy 808, Protection of University Data and Information
https://policy.rice.edu/808
One area that is often overlooked is making sure any external information technology service providers used by organizations and departments are practicing good security hygiene and being good stewards of data we share with them.
The Information Security Office (ISO) regularly performs thorough, standards-based reviews that can help provide departments more visibility into areas of concern that may not be obvious or otherwise addressed from conversations with potential service providers. For example, our review process can help identify poor or missing vendor security best practices or missing contract terms required for the kinds of data to be used. We are also able to identify and help draft departmental data handling procedures that may be missing when working with private information in these services. Problems like these can expose Rice (and the organization or department) to potential risk of exposure and unnecessary liability.
In order to ensure that we are taking the necessary precautions to protect the privacy of sensitive and confidential information, all new information technology services in the cloud, on campus, or a combination of either must be reviewed by the Information Security Office (ISO) before purchases are made or contracts are signed.
Please let me know if you have any questions about this or our review process. You can request a service review for a new or existing service by contacting the OIT Help Desk at 713-348-HELP or helpdesk@rice.edu.
As always, thank you for your help in protecting the security and privacy of our private information.
Marc Scarborough
Chief Information Security Officer