Who Really Reads the Fine Print?
December 18, 2020
Article at a Glance
- Biola could be held responsible if a software vendor suffers a cybersecurity attack, or mishandles our data.
- IT and other teams work hard to ensure that every technology agreement protects Biola’s people, resources, and reputation.
- You can take steps to help speed up the review and purchase process.
All of us depend on technology for our work. Many apps and web services have improved the efficiency and quality of our business processes. However, since most technology processes university data, software and online services can present a risk to the university.
If a software company is compromised or suffers a data breach, Biola could be affected.
Just this year, one of Biola's vendors suffered a ransomware attack. Thankfully, due to our data protection terms, this had no detrimental financial impact on the university.
The last thing we want is for our data—or our student’s information—to be compromised because of a vendor’s poor security practices
Whenever you purchase a new app or technology service for your Biola work, several teams work together to review the new technology, including the Purchasing, Legal, Risk Management, and IT teams. We negotiate with the vendor and modify the terms and conditions to protect Biola’s people, resources, and reputation.
This month we explain IT’s part of the review process, and how you can contribute to acquiring new technology quickly and painlessly.
What Biola IT Does
Biola IT reviews every app and technology service that departments request. Here’s what we review, and why:
- Scope: The first thing we look at is who will be using the software or service, and what sort of data it handles. This informs the rest of our review process. If a software or service is used by more people or handles sensitive data, it significantly increases risk to the university and requires a more rigorous review. Sensitive PII, FERPA-protected data, and protected health information (PHI) have the highest levels of risk.
- Data protection: Based on the scope of users and type of data, we review terms of service, privacy policies, SOC and HECVAT reports, data processing agreements, and any other available security documentation to determine if the vendor protects Biola’s data with our required level of security. In many cases, we need to add specific data protection terms to the contract to protect university data.
- Accessibility: We review third-party audits to make sure vendors offer an adequate level of service to students and employees who require assistive technology.
- Support: We review support policies so that we can determine how the vendor takes care of users, and what kind of support Biola IT will be required to offer.
- Systems: We determine if any other Biola systems, servers, or services will be required to support or interact with the new app or service. This tells us which IT personnel will need to be involved, and how long implementation is likely to take.
- Functionality: We determine how the app or service works, so that we can make sure it’s compatible with Biola’s existing technology, and that it’s not duplicating a service that we already support.
This process can take a week or more. Our goal is to make sure that every new app or service matches Biola’s high standards for quality, security, accessibility, and supportability. Thank you for your patience!
What You Can Do at Work
Whenever you submit a purchase request for an app or technology service, you should take the following steps:
- Submit your request far in advance of the date you want to start using the new technology. Because of the volume of incoming requests, it helps to have weeks or months to prioritize, assign, review, and implement the requested technology.
- Fill out and submit a software purchase request form including as much detail as possible. This helps speed up our triage process for incoming requests.
- Tell us if you’ve already submitted a contract for the app or service.
- Include contact information for your vendor representative if you have one. We frequently need to contact a rep to gather specific information about the technology.
- Respond promptly to all communications about your request. We want to help you get your technology quickly.
Additionally, you should give the Legal team at least four weeks to review any technology contract.
What You can Do at Home
- What personal information they collect, how, and why
- What they do with your personal information
- How they protect your personal information
- How they empower you to control what data they keep and for how long
Then, determine if the app or service is worth it. Additionally, you should carefully review the permissions required by any new app.
Early review of apps and web services can protect us all from compromised data down the road.