Guidelines for use of software and web-based services used by faculty and staff
To protect NDSU, yourself, and the data you work with, NDSU policy 712, Contract Review, and North Dakota System policy 840, Contracts, require that you use only software and services whose license agreements have been reviewed and approved by the NDSU General Counsel's office.
Many NDSU faculty and staff enjoy and use no cost or free software and Web-based services available on the Internet for education, research, and business related processes. These products can include, but are not limited to, Dropbox, Evernote, Free Quiz Maker, Splashtop Streamer, RemindMe 101, Facebook, Twitter, and many others. NDSU must be mindful of legal restraints, privacy concerns, and security issues which exist for these products. These include but are not limited to:
- The license and contractual provisions
- The majority of the agreements are not compatible with North Dakota law; most notably, the sections of the agreement that describe and detail indemnification and jurisdiction. Most do not contain any language about what notification, if any, would occur if there would be a breach or compromise to the software, service, and/or account. These software applications and services can potentially be used inadvertently or purposefully to collect, store, and use protected information which can put the University at serious risk.
- Privacy concerns
- Many of the products and services that are designed to share information or to collect information for marketing purposes have few or no basic privacy safeguards built in to protect the user and their information. Therefore, these products may not be compliant with the Family Educational Rights and Privacy Act (FERPA) which includes educational records including course assignments and projects, and grades. Additionally, they may not be compliant with privacy laws that cover personally identifiable information, or data that is classified as confidential such as financial information, health related data, contracts and legal agreements, etc.
- Security issues
- It is important for NDSU faculty and staff to be mindful of basic security concerns associated with out students' information. Because of the open and sharing nature of many of these products and services, security standards are lacking or nonexistent. A breach could cause a compromise of students' information that is stored within that product or service.
- The product's intended use
- The Americans with Disabilities Act (ADA) requires NDSU to provide academic adjustments and auxiliary aids and services to students with disabilities for equality of opportunity. Many of these products, while they may be a great resource and provide an effective pedagogical tool for teaching, are not ADA compliant, which has the potential to cause serious legal issues for NDSU.
- Most of the products are intended only for personal use or for trial use in testing to see if they fit consumer's needs. Using them in a business or educational environment can constitute infringement and misuse which can result in litigation against the University.
It is important to NDSU faculty and staff to provide an innovative, engaging, efficient and productive atmosphere for instructional learning and business related to the University and still is mindful of NDSU policy and procedure and all applicable federal and state regulations when creating that environment. To encourage this, when selecting a product or online service it is important to engage the General Counsel's office to review and approve the license or contract associated with that product.
Please understand that using software or a web-based service whose contractual language contains prohibited provisions, or which could lead to a security breach or data loss, maybe considered a violation of NDSU policy and or federal and state law and could be detrimental to the scope of your NDSU employment. This could result in discipline as well as potential liability. We encourage you to seek guidance from the individuals identified below with regards to your questions.
NOTE: The use of open source software, i.e., Linux operating systems and Apache web software, when used in a production environment and managed by IT professionals is not within the scope of these guidelines.
If you have questions, or would like more information, please contact
Assistant General Counsel
Chief IT Security Officer
April 15, 2014
The Internet was stunned to learn of a significant vulnerabilty to security this last weekend. OpenSSL, an application that is used by software and services throughout the Internet for authorization of legitimate websites was found to have a core flaw. Essentially anyone from anywhere could send a specially crafted packet to a service or site using OpenSSL, asking if the server is still accepting communications and the server would return up to 64 Kilobytes of what was in its memory at the time of request. This return could be username and passwords, or documents, or even security certificates. The OpenSSL foundation responded and fixed the core code of OpenSSL, but there are still hundreds of thousands devices, or services that still are running the old version of the software. Please check for updates on your devices, and change any passwords for sites you maybe concerned about. However, only change those passwords after a site has patched their services, and revoked their old security certificate and created a new one.
December 5, 2013
Over 2 Million passwords to popular webpages discovered.
In Mid June, Trustwave Spiderlabs researchers were able to view information in the Pony Botnet controller that indicated that there were over 650,000 website credentials that had been harvested by this particular botnet, which, is fairly widespread. On Tuesday they announced that upon a more detailed look that over 2 million passwords have been harvested by this botnet. Many of these services have now been notified and they are taking corrective action on those accounts that have been compromised.