Information Technology Security and Compliance Statement
Topic: Information Technology Service Provider Security Statement
Creation Date: June 29, 2009
Last Revision Date: May 2017
A service provider or vendor, hereafter called "Service Provider", will receive this document if Oakland University (“University” or “the University”):
· Intends to purchase or contract outsourced, hosted, software as a service, web site service, application service provider application, on-premise software solution, or similar service from a vendor; or
· Intends to transmit or relocate data actively resident in an on-premise information technology resource to a service provider or between software solutions; or
· Intends to have a service provider or vendor collect or capture data on behalf of the University or for subsequent use by the University.
The document defines the minimum security and operational criteria that the Service Provider must provide to engage in business with the University. Service Provider must comply with those statements for which a particular standard or security protocol is identified. Such compliance shall continue for the duration of the agreement, purchase order, or contract (“Agreement”).
1.0 Audit and Compliance
- The University reserves the right to request an audit or security update of the University application infrastructure as provided by the Service Provider to ensure compliance with its policies and and security statement. Service Provider will mitigate vulnerabilities identified in the audit within 90 days of the audit report.
The University is committed to enabling equally effective, integrated, and independent access to information through information technologies, databases, services and resources to all constituents with disabilities as described in University policy. Service Provider must submit statement of accessibility compliance. Service Providers are required to demonstrate that the proposed solution conforms to or addresses each of the W3C's Web Content Accessibility Guidelines (WCAG) Level AA (including Level A). Service Providers may submit a Voluntary Product Accessibility Template (VPAT) 2.0 based on WCAG 2.0 Level AA. The VPAT 2.0 template is available from the Information Technology Council. Alternatively, the Service Provider may submit an independent third party evaluation from a qualified accessibility consultancy.
Compliance with the Family Educational Rights and Privacy Act (FERPA), if student records are involved: https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
- The Service Provider may submit any of the following as a statement of security practice:
Attestation of Compliance with Payment Card Industry Data Security Standards https://www.pcisecuritystandards.org/ Required for Service Provider solutions that involve payment card processing.
Certification of the product by Common Criteria http://www.commoncriteriaportal.org/
Certification of privacy for web applications from TrustE http://www.truste.org/about/index.php
Cloud Security Alliance – CSA Start Attestation, Certification, or Assessment. https://cloudsecurityalliance.org/star/ - _overview
- Statement from auditor for compliance with ISO/IEC 27001:2013 or later.
- Statement from auditor for compliance with SAS 70 / SSAE 16.
- Statement from auditor for compliance with HIPAA/HiTech regulations; required for HIPAA related processing.
Compliance with Open Web Application Security Project design and implementation compliance: http://www.owasp.org
- The University retains the right to terminate the Agreement with 7 days notice, with 90 days allowance for retrieval of data in a format defined by the university, for any reason related to listed security items unless other provisions have been mutually agreed upon in the Agreement.
- The University aggressively protects copyrighted material, and all University logos, emblems, images, and gif files must be used only with University approval. Service Provider must destroy all related University material at the end of the Agreement.
Service Provider must present evidence insurance according to University Risk Management standards described here: https://wwwp.oakland.edu/riskmanagement/ Click on Vendor Insurance Requirements from the left menu.
- Service Provider agrees to comply with all state and federal privacy and security legislation within 60 days of enactment.
2.0 Data Controls
- Service Provider will store University data only in data centers located within the United States, meeting or exceeding network, host, and physical security standards commonly found acceptable by regulatory agencies or organizations (i.e., PCI -DSS 2.0 or later).
- Service Provider agrees to keep University information and data private and confidential, and to treat information and data confidentially except as specifically provided for in the Agreement. Data cannot be shared with or sold to third parties.
Service Provider will use data encryption standards commonly found acceptable in by regulatory agencies or organizations (i.e., PCI -DSS 2.0 or later) for the protection of University data matching the State of Michigan law (https://wwwp.oakland.edu/Assets/upload/docs/uts/2006-PA-0566.pdf) for Personally Identifiable Information.
- Service Provider will provide capabilities for storing and processing full Legal Name and Preferred First Name if any name service (student name, employee name, etc.) is included in the solution.
- Service Provider will provide data in response to University request in a preservation standard consistent with industry best practices for forensic retrieval, for review and use in connection with law enforcement, human resource management, litigation, or contested matters in all forums, audits and for the University’s own use.
- Service Provider agrees to return all University data to the University within 60 days of contract termination and in a format approved by the University at the time of termination. All data, both University operational data, meta data, and log data, related to the university will be returned or destroyed at the end of the agreement.
- Service Provider agrees to enforce University access and need-to-know policies for data access control.
- Service Provider will notify the University contact assigned for this engagement in the event of accidental data exposure, access of data by unauthorized parties or individuals, request for data by law enforcement, or any other third-party access to University data, within 48 hours of request or discovery.
- Standards for data quality are established by the University and enforced by the Service Provider. The Service Provider must meet the University standards for the quality and integrity of data. The University retains the right to approve the quality of data displayed on web sites; the Service Provider will remove any University data from any web site based on the University noting a lack of quality. Processes that gather, edit, modify, calculate or otherwise manipulate data must meet University standards for data quality. The University must approve the sources of data and the data maintenance method.
3.0 Identity Access and Accounts Management
- The University and the Service Provider will determine a secure access identity infrastructure process for the solution, including a unique login identity and password that is encrypted in storage and at rest for account users. The University and Service Provider will determine the best practices for issuing login accounts, password attributes, password resets, and other access identity management processes using standard industry practices for security and privacy, with the University solely responsible for the final solution decision.
The University requires that the proposed solution meet University identity access management standards. Login processes can authenticate using Single Sign On for InCommon Federation, Shibboleth Version 3 or higher, CAS protocol 2.0 or higher, openLDAP/RedHat Directory Server 9.1 or higher, and Active Directory within the University Identity Access Management Environment. ADFS is not an option at this time. Service Provider must indicate whether the firm is a member of InCommon Federation. If not a member of InCommon, describe the login management process using Shibboleth Version 3 or higher, CAS protocol 2.0 or higher, or openLDAP/RedHat Directory Server 9.1 or higher.
- If none of the preferred processes are usable, please describe the process. If the Service Provider is providing identity access accounts for the solution, will provide a unique login identity and password that is encrypted in storage and at rest. Service Provider will manage issuing login accounts, password attributes, password resets, minimum password length, password generation guidelines, password expiration, and other access identity management processes using standard industry practices for security and privacy. Describe in detail the following processes:
- Creating new accounts
- Suspending accounts for temporary security reasons
- Terminating accounts
- Password resets
- Password security protocols
- Name changes
- Service Provider changes system default and system administration passwords on implementation and regularly thereafter following standard security best practices.
4.0 Technical and Network Architecture
- Service Provider must supply any specific firewall rules, custom domain names, email configurations, messaging integration, or other configurations required for successful network and communications connectivity to the Service Provider solution. Service Provider should supply a full network architecture diagram that details traffic flows and communication requirements, such as network ports, protocols, and applications. Costs and project delays associated with missing or incomplete documentation will be the sole responsibility of the Service Provider.
- Service Provider will provide a test environment available to the University for upgrades and ongoing product testing and verification.
5.0 Physical Security
If the Service Provider has contracted with a data center hosting facility or provider, please review items in this section based on the contract that the Service Provider has with their hosting facility and the security evaluation that the Service Provider engaged in when selecting the hosting facility.
- The equipment hosting the application for University must be located in a physically secure and access controlled facility.
- The infrastructure (hosts, network equipment, etc.) hosting the University’s application must be located in a locked cage-type environment, locked rack or other secure facility.
- The physical environment must be covered by 24-hour surveillance video of evidentiary quality.
- Physical access must be limited and controlled, and logs must be maintained and must include who entered the room, time of entry and time of exit.
- The University requires that Service Provider employees with access to University data must meet current University employment standards for security and background checks.
- Any damage or unauthorized access to facilities will be reported to the University within 24 hours of occurrence.
6.0 Host Security and Service Health
- Service Provider will maintain the security of hosts (Unix, Windows, etc.) comprising the University application and server infrastructure will be hardened against attack.
- Service Provider will install security patches within 30 days of release.
- Service Provider will meet minimum service level agreement of 99.9% uptime. Service up time is guaranteed to 99.9% (Consider: 365 days a year, 24 hours a day = 8,760 hours x 99.9% up time = 8,751.24 hours. That means that there would be roughly 1 full business day of system unavailability every year.)
- If the Service Provider propses an Agreement that provides that the University is responsible for notifying or providing evidence to the Service Provider that the service being utilized was degraded or unavailable, then the Service Provider shall maintain an online, customer-facing, near real-time service health dashboard. The dashboard shall be provided to University for review on an ongoing basis and will include a history of application and service health for the last calendar quarter (as a minimum). Examples of service health that provide models include:
7.0 Web Security
- Service Provider will provide release information and documentation solutions in use and on the product roadmap.
- Service Provider’s process will include completing security Quality Assurance testing for the application.
- Service Provider web sites are implemented utilizing Secure Socket Layer (SSL) with a certificate from an independent authority.
- The University application infrastructure cannot utilize any "homegrown" cryptography – any symmetric, asymmetric or hashing algorithm utilized by the University application infrastructure must utilize algorithms that have been published, evaluated by, and currently in use within the general cryptographic community.
- Service Provider will use data encryption standards commonly found acceptable in by regulatory agencies or organizations (i.e., PCI -DSS 2.0 or later) where encryption is required.
9.0 Disaster Recovery and Business Continuity
- Service Provider will provide and maintain an infrastructure for disaster recovery and business continuity meeting a standard to be determined with the University and suitable to the service or application.
For further help, please email <<MailTo(firstname.lastname@example.org)>>.