Information Technology Service Provider Security Statement
Topic: Information Technology Service Provider Security Statement
Audience: Faculty and Staff
Creation Date: June 29, 2009
Last Revision Date: September 2016
A service provider or vendor, hereafter called "Service Provider", will complete this document if Oakland University (“University” or “the University”):
· Intends to purchase or contract outsourced, hosted, software as a service, web site service, or application service provider application or similar service from a vendor; or
· Intends to transmit or relocate data actively resident in an on-premise information technology resource to a service provider; or
· Intends to have a service provider or vendor collect or capture data on behalf of the University or for subsequent use by the University.
An editable version of this document is available from the Purchasing Department or by sending a request to firstname.lastname@example.org .
The document defines the minimum security and operational criteria that the Service Provider must describe and maintain in order to be a Service Provider or to otherwise provide services for the University. Service Provider must respond in writing to every statement and question in all categories, unless an exception is provided. Service Provider must comply with those statements for which a particular standard or security protocol is identified. Such compliance shall continue for the duration of the agreement, purchase order, or contract (“Agreement”) to which this document is attached as an Exhibit. University Technology Services department (“UTS”) will closely review Service Provider’s responses, and will suggest remediation measures in any areas falling short of minimum security criteria.
UTS will accept security documentation created by the Service Provider as long as it addresses the material and protocols described in this document. If submitting a vendor security statement, please label each section to correspond to the areas of this document.
1.1 University Documentation
Prior to distributing this statement to the Service Provider, University employees please provide data documentation here:
1) Will the Service Provider collect, transmit, process or store data on behalf of, or as an agent, of the University?
2) If the answer to #1 is “yes”, please describe the data and indicate the data classification as described in University policy #860. In particular, if Payment Card (Credit Card) processing or medical records are processed in any way, please describe processing in detail by the Service Provider meets the University standard definition as “confidential data” or "operation critical" as described by University policy #860 Information Security.
3) Please describe any intended or targeted use with a mobile device, such as a smartphone or tablet. Include a description of data collected, transmitted, processed or stored on the device.
2.0 Service Provider Response
The Service Provider must complete and submit all components of section 2.0. UTS will review and is looking for explicitly detailed, technical responses to the statements and questions. Service Provider should complete and submit its responses directly beneath the Standards (both questions and requirements) listed below.
Most sections require a descriptive answer; in some cases, a statement of compliance may suffice. In addition, please include any security whitepapers, technical documents, or policies that may be in place. Answers such as “Will furnish on request” are not acceptable; this document is the request for additional information.
Please complete all sections below unless noted.
2.1 Audit and Compliance
- Please describe support for the following statements: The University reserves the right to request an audit or security update of the University application infrastructure as provided by the Service Provider to ensure compliance with its policies and these Standards. Service Provider commits to engage in an annual security audit, sharing the results of the audit with the University upon request. The University will request that vulnerabilities identified in the audit be fixed or mitigated within 90 days of the audit report. The Service Provider may submit any of the following as an alternative:
Attestation of Compliance with Payment Card Industry Data Security Standards https://www.pcisecuritystandards.org/ Required for Service Provider solutions that involve payment card processing.
Certification of the product by Common Criteria http://www.commoncriteriaportal.org/
Certification of privacy for web applications from TrustE http://www.truste.org/about/index.php
Cloud Security Alliance – CSA Start Attestation, Certification, or Assessment. https://cloudsecurityalliance.org/star/ - _overview
- Statement from auditor for compliance with ISO/IEC 27001:2013 or later.
- Statement from auditor for compliance with SAS 70 / SSAE 16.
- Please describe compliance with WCAG 2.0 Level AA web content accessibility guidelines and supply the VPAT statement for how this product claims to conform to the Section 508 of the Americans with Disabilities Act.
Please describe compliance with Open Web Application Security Project design and implementation compliance: http://www.owasp.org
- The University retains the right to terminate the Agreement with 7 days notice, with 90 days allowance for retrieval of data, for any reason related to the security items listed in Agreement, unless other provisions have been mutually agreed upon in the Agreement.
- The University aggressively protects copyrighted material, and all University logos, emblems, images, and gif files must be used only with University approval, and must be destroyed at the end of the Agreement.
- Service Provider must present evidence of $1 million or more in general liability and cyber risk insurance. Insurance covering network security, cyber liability, and errors and omissions insurance may be required. Typical limits are not less than $1 million per occurrence and $1 million in aggregate, and usually are more. Insurance limits for a project are determined in consultation with the Office of Risk Management. Lines and limits noted in the RFP prevail. Please attach documentation, such as certificate of insurance.
- Service Provider agrees to comply with all state and federal privacy and security legislation within 60 days of enactment. Describe how this is handled.
2.2 Data Controls
- Can the Service Provider guarantee that University data are only stored in the United States? (Yes / No)
- If the answer is “No”, please provide third-party data center identities and data center locations. The University requires notification before any data are stored in data center locations outside the United States.
If confidential data are involved in this process, as defined by University policy #860 Information Security, review and compliance specific to those data are required. Describe any confidential data involved in this Agreement.
- Please describe capabilities for storing and processing full Legal Name and Preferred First Name if any name service (student name, employee name, etc.) is included in the solution.
- Describe the expected volume and format of data to be stored for the University.
- Service Provider will provide data upon request from the University in a preservation standard consistent with industry best practices for forensic retrieval, for review and use in connection with and for law enforcement, human resource management, litigation, or contested matters in all forums, audits and for the University’s own use. Please describe the data preservation and transmission process.
- How will data be transferred between University and the Service Provider? Please provide a description of any identified ETL, EDI, or transmittal process. The University may require that files are encrypted both at rest and during transmission, depending on the type of data involved. Please describe the following in detail:
- The specific data elements that will be transmitted from the University to the Service Provider.
- The specific data elements that will be transmitted from the Service Provider to the University.
- The encryption standard that will be used to encrypt transmitted data.
- The transmission protocol proposed for data exchange.
- The expected scheduling of data exchange.
- When the Agreement is terminated, describe the format and technology to be used to return data to the University. Describe the length of time that the University will have to retrieve data from the Service Provider upon termination.
- Describe how data will be removed from the Service Provider environment and from the environment of any agent under contract to the Service Provider upon termination of the Agreement. Data will be retained only for the period of this Agreement and only for a retention period approved by the University,
- Describe data access controls.
- Describe how data access will be limited to those with a "need to know" and controlled by specific individual.
- Describe procedures and solutions implemented to prevent unauthorized access.
- Describe any data access provided to individuals other than employees of the Service Provider and University.
- The procedure for notification in the event of accidental data exposure must be identified. Accidental exposures of data to unauthorized persons (data breach) will result in the Service Provider notifying the University within 48 hours of discovery, and no notification to those whose data have been exposed will occur without prior discussion with the University. The Service Provider will fully support the University’s statutory and regulatory obligations in the event of a data breach.
- The Service Provider will notify the University within 48 hours of access or data sharing requests granted by the Service Provider to third parties, including but not limited to court orders, law enforcement requests, or similar processes. Please describe the process for handling such a situation.
- Standard non-disclosure language must be included in the Agreement, with protection to keep information and data private and confidential, and to treat information and data confidentially except as specifically provided for in the Agreement. Data cannot be shared with or sold to third parties. The University standard form for Mutual Non-Disclosure of information may be required. If Service Provider requires a Mutual Non-Disclosure statement, please provide here.
- Standards for data quality are established by the University and enforced by the Service Provider. The Service Provider must meet the University standards for the quality and integrity of the data. The University retains the right to approve the quality of data displayed on web sites; the Service Provider will remove any University data from any web site based on the University noting a lack of quality. Processes that gather, edit, modify, calculate or otherwise manipulate data must meet University standards for data quality. The University must approve the sources of data and the data maintenance method. Please describe compliance with these statements.
2.3 Identity Access and Accounts Management
- Please describe Identity Access Management Environment. The University will not provide a customized data feed of usernames/passwords for account generation.
- Describe the types of access accounts that the Service Provider has designed into the solution, such as administrator accounts and customer accounts.
- Describe access authentication. OpenLDAP, CAS, or Shibboleth with the University Identity Access Management Environment are preferred options. If the application only supports Active Directory, please state.
- If the Service Provider is providing identity access accounts for the solution, Service Provider must provide information on the account generation, maintenance and termination process, for both systems maintenance as well as user accounts. Include information as to how an account is created, how account information is transmitted back to the user, and how accounts are terminated when no longer needed.
- If the Service Provider is providing identity access accounts for the solution, the Service Provider must provide information on their password policy for the University application infrastructure, including minimum password length, password generation guidelines, and how often passwords are changed.
- Service Provider must provide information on the handling of system default and system administration passwords, including installation and set-up procedures with default installation passwords and the system administration password policy.
Please describe how data controls or administrator access controls are moved to a new administrator upon employment termination.
2.4 Technical and Network Architecture
- Provide any specific firewall rules, custom domain names, email configurations, or other configurations required for successful network and communications connectivity to the Service Provider solution. A full network architecture diagram that details traffic flows and communication requirements, such as network ports, protocols, and applications, is preferred.
- Please describe the test environment available to the University for upgrades and ongoing product testing and verification.
- Service Provider must provide a proposed architecture document that includes a full network diagram of the University application environment, illustrating the relationship between the environment and any other relevant networks, with a full data flowchart that details where University data reside, the applications that manipulate data, and the security thereof. Please attach flowchart.
- Network hosting of the application should be segregated from any other network or customer that Service Provider may have, unless the University has given prior approval. Please describe this infrastructure and architecture accordingly.
- Service Provider must be able to immediately disable all or part of the functionality of the application should a security issue be identified. Describe how this is handled.
2.5 Physical Security
If the service provider has contracted with a data center hosting facility or provider, please provide answers for items in this section based on the contract that the Service Provider has with their hosting facility and the security evaluation that the Service Provider engaged in when selecting the hosting facility.
- The equipment hosting the application for University must be located in a physically secure and access controlled facility. Please describe locations.
- The infrastructure (hosts, network equipment, etc.) hosting the University’s application must be located in a locked cage-type environment, locked rack or other secure facility. Please describe the security of the equipment within the room.
- The physical environment must be covered by 24-hour surveillance video of evidentiary quality. Please describe.
- Physical access logs must be maintained and must include who entered the room, time of entry and time of exit. Please describe.
Service Provider must disclose the job titles (not personal identities) among their personnel who will have access to the environment hosting the application for the University.
- Physical access to facilities where data are stored will be limited and controlled. Please describe facility access controls and process to gain access.
The University requires that Service Provider disclose the personnel criminal background check procedures. Employees with access to the designated must meet current University employment standards for security and background checks. Please describe compliance.
- Any damage or unauthorized access to facilities will be reported to the University within 24 hours of occurrence. Please describe notification process.
2.6 Host Security and Service Health
- Service Provider must disclose how and to what extent the hosts (Unix, Windows, etc.) comprising the University application infrastructure have been hardened against attack. If Service Provider has hardening documentation for the infrastructure, provide that as well.
- Please provide a listing primary software used in the proposed solution, including operating system, web server, database management system, and the current release number for each software component.
- Information on how and when security patches will be applied must be provided. How does Service Provider keep up on security vulnerabilities, and what is the policy for applying security patches?
- Please provide a general description for monitoring the integrity and availability of hosts.
- Service up time is guaranteed to 99.9% (Consider: 365 days a year, 24 hours a day = 8,760 hours x 99.9% up time = 8,751.24 hours. That means that there would be roughly 1 full business day of system unavailability every year.) Fully describe the system availability service Agreement.
- If the Agreement provides that the University is responsible for notifying or providing evidence to the Service Provider that the service being utilized was degraded or unavailable, then the Service Provider shall maintain an online, customer-facing, near real-time service health dashboard. The dashboard shall be provided to University for review on an ongoing basis and will include a history of application and service health for the last calendar quarter (as a minimum). Examples of service health that provide models include:
2.7 Web Security
- Please describe the development environment in general and the releases of the solutions in use.
- Please describe Service Provider’s process for completing security Quality Assurance testing for the application.
- Describe testing of authentication, authorization, and accounting functions, as well as any other activity designed to validate the security architecture.
- Please describe the application development security standards employed for development.
- Has Service Provider done web code review for the explicit purposes of finding and remediating security vulnerabilities? If so, who did the review, what were the results, and what remediation activity has taken place? If not, when is such an activity planned?
- Please confirm that web sites are implemented utilizing Secure Socket Layer (SSL) with a certificate from an independent authority (please identify).
- The University application infrastructure cannot utilize any "homegrown" cryptography – any symmetric, asymmetric or hashing algorithm utilized by the University application infrastructure must utilize algorithms that have been published and evaluated by the general cryptographic community. Please describe utilized cryptography, including any implementation of SSL.
- Describe Service Provider strategies for maintaining currency of cryptography.
- Describe methods used for encrypting University data at rest (i.e., Whole Disk Encryption, Database Encryption, etc.).
2.9 System Performance, Disaster Recovery and Business Continuity
- What are the disaster recovery and business continuity plans?
- Consider: Daily backups of systems, files and data will be done on a cyclical basis, so that any restore of the system will not result in more than 24 hours of data loss.
- Service Provider guarantees that a disaster recovery plan exists, including off-site storage or replication of data in a secure location.
- Describe or provide a copy of the Service Provider’s Incident Response Plan.
- Describe contact procedures and contact return window for standard problem reports, critical problem reports, and the problem escalation procedure.
- Describe Service provider hours of operations, helpdesk hours of operation, and time zone.
For further help, please email <<MailTo(email@example.com)>>.