Hi Jeff-

Kyle Vanderburg, DMA

Composer in Residence / Asst. Prof. of Practice
Challey School of Music
North Dakota State University

Music Ed. 115C / Dept. 2540, PO Box 6050 / Fargo ND 58108-6050

ndsu.edu | kylevanderburg.com | ndsucomposition.com

From: Kyle Vanderburg
Sent: Thursday, July 31, 2025 11:34
To: Gimbel, Jeff
Subject: Fw: NDSU Vendor Security Review Request - Liszt - 06-04-2025

Forwarding over; some additions to the below commentary:

From: Kyle Vanderburg
Sent: Thursday, June 12, 2025 14:38
To: Gimbel, Jeff
Cc: Iverson, Jacoba ; Vanderburg, Kyle ; bill law
Subject: Re: NDSU Vendor Security Review Request - Liszt - 06-04-2025

Hi Jeff,

Attached please find the following:

A few notes on the SOC2 report

Liszt has not undergone a vulnerability/penetration test aside from Aikido (https://aikido.dev). If a more substantial test is required, that can be arranged. 

-Kyle

Hello, Liszt team,


I am a Senior Security Analyst at North Dakota State University. In order to protect the Students, Staff, and Faculty as well as the Institution of NDSU, we request a Security review of your product or services that you are offering.
 
 
Please Provide the following Information: (note, incomplete information may lengthen the process and prevent a timely review)
 
IT Security Office Contact Information:


Statement of which regulation or standards the company complies with:

Company Security Policies:

Company Privacy Policy:

Company Administrative Logical and Physical Control Policies:

How and to whom NDSU data may be disclosed to and why:

Company Data Classification:

Company Data Dictionary:

Network Firewall and IPS Policies:

Data Encryption and Isolation Policies:

Role or Account Security Policies:

Multifactor Authentication Policies:

Summary of Incident Response Plan:

Summary of Business Continuity Plan:

Summary of Disaster Recovery Plan:

Summary of Employee Background Check Policies:

Summary of Employee Confidentiality Agreement Policies:

Summary of Employee Training:

A letter of attestation of the company's latest Vulnerability/Pentest Attestation
 
 
A SOC2, or HECVAT (https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit) from your Institution Point of View would make this process much quicker and would be greatly appreciated.

The Following Statements Need to be attested to if there is any FERPA Data Associated with the Service:


.             Liszt agrees not to re-disclose any information unless it is permitted by NDSU or within the rules of FERPA
.             Liszt agrees that the data housed is owned by NDSU and my institution will provide a way to audit and access that information
.             Liszt agrees that data will only be housed in the United States
.             Liszt gives NDSU direct control of the deletion of PII
.             Liszt must obtain NDSU's consent to, or provide NDSU notice of changes 
.             Liszt has strict boundaries between education and commercial use of student data

*        Can you also provide the breach notification protocols for Liszt
 



Jeff Gimbel
Senior Security Analyst / Information Technology
NORTH DAKOTA STATE UNIVERSITY
p:701.231.6730  /  www.ndsu.edu
 
https://filetransfer.ndsu.edu/filedrop/jeff.gimbel@ndsu.edu
 


Book time with Gimbel, Jeff: Book time