Outsourcing, Hosting, Software as a Service, and Application Service Provider Checklist
Topic: Outsourcing, Hosting, Software as a Service, and Application Service Provider Checklist
Audience: Faculty and Staff
Creation Date: June 24, 2008
Last Revision Date: June 6, 2013
Author: Theresa Rowe
The university is engaging in business where university data are being collected, transmitted or stored under contracted third party arrangements. In many of these situations, a web-based system is developed by a vendor to collect data or display data on behalf of a university operation. In some cases, the vendor is providing a web site where students are entering personal data. The university may also send data collected by the university for further display, processing, or storage by a contracted third party vendor. This checklist was created to assist in risk management, contract review, and ongoing vendor management, with a goal of minimizing risk to university data.
Section I: Does this security review apply to my project?
If you answer YES to any of the following questions, your project needs security review.
- Are you transferring data currently residing on a computer owned by Oakland University to a computer not owned by Oakland University?
- Are you contracting with a vendor who will create a web site or implement a system on behalf of Oakland University to collect and store data?
- Will a contracted third party collect data that will later be transmitted for use by Oakland University?
- Will a third party accept credit card payment on behalf of an Oakland University operation?
- Are you purchasing an online service to display university data, such as student data, faculty data, or course data?
You can do an initial security review using the materials in this document. You may also request assistance from University Technology Services. Over the course of purchasing procedures and operation with the vendor, additional security reviews may be required by the Office of Risk Management, Office of Legal Affairs, or Internal Audit.
Section II: Privacy and Security Policy Review
Please review the Oakland University Privacy Statement at www.oakland.edu, click on Privacy Statement at the bottom. Also, please review university policies related to information technology found at http://www.oakland.edu/uts/policies, particularly policies under the heading DATA (Policy #860 Information Security).
The university must also be in compliance with external mandates. Such mandates include:
Family Educational Rights and Privacy Act FERPA: http://www.oakland.edu/policies/1130/
Gramm-Leach-Bliley Act: http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act
Health Insurance Portability and Accountability Act: http://www.hhs.gov/ocr/privacy/
Cardholder Security Programs: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
Open Web Application Security Program: https://www.owasp.org/index.php/Main_Page
Student and Exchange Visitor Information System: http://www.ice.gov/sevis/
Data maintenance plans must conform to these policies.
Section III: System Review
The systems used for the handling, processing or storage of data should be reviewed prior to agreement. References from other clients should be obtained prior to agreement. UTS is available to do a security review, which would include discussions with the technology staff at the vendor, a general product review, a general security review, and a check of vendor staff availability and skill, in the area of security work. In general OU seeks to hold vendors to the security standards listed as common practice in higher education documented by Educause (http://www.educause.edu/ir/library/pdf/SEC0421.pdf ). The OU department seeking to process data must have an operational plan with defined data elements ready for review (i.e., will the data include names, Social Security Number, credit card processing, student data, alumni data, etc.). Also, an access control plan must be defined.
Section IV: Contract Review
UTS will assist you in review for technology and security issues on request. The Office of Risk Management may require review, and may require specific language in any contract. In general, the following items must be checked:
- Who will have access to the data?
- Data access will be limited to those with a "need to know" and controlled by specific individual. Vendor will have procedures and solutions implemented to prevent unauthorized access, and the procedures will be documented and available for OU to review on request. Those allowed to send data and receive data to and from the vendor must be identified.
- Accidental exposures of data to unauthorized persons will result in the vendor notifying OU within 4 hours of discovery, and no notification to those whose data have been exposed will occur without prior discussion with OU.
- Physical access to facilities where data are stored will be limited and controlled. Any damage or unauthorized access to facilities will be reported to the university within 24 hours of occurrence.
- Standard non-disclosure language must be included, with protection to keep information and data private and confidential, and to treat information and data confidentially except as specifically provided for in the contract. Data cannot be shared or sold with or to third parties.
- Where will data be stored?
- All computers used in the storage, processing, transmittal and display of data will have operating systems that are current in release, with unneeded services disabled, with default administrator access shut off, and with all security patches updated in a timely fashion soon after the release of the patch.
- What security standards will be implemented?
- All computers and systems will be protected by acceptable industry practices for antivirus, firewalls, and network and system intrusion detections systems.
- Routine event monitoring will be done by the vendor; the university expects that the vendor will routinely and immediately identify events related to unauthorized activity and unauthorized access.
- The vendor will engage in an annual security audit and identified will be fixed or mitigated within 90 days of the audit report.
- Web sites that gather personal information must utilize Secure Socket Layer (SSL) with a certificate from an independent authority.
- File transmissions must be done using Secure File Transfer Protocol.
- What are the disaster recovery and business continuity plans?
- Daily backups of systems, files and data will be done on a cyclical basis, so that any restore of the system will not result in more than 24 hours of data loss.
- Vendor guarantees that a disaster recovery plan exists, including off-site storage of data in a secure location. The university must approve the off-site storage of the data, and the university retains the right to reject the location for security reasons and to recommend another location.
- System up time is guaranteed to 99.9% (Consider: 365 days a year, 24 hours a day = 8,760 hours x 99.9% up time = 8,751.24 hours. That means that there would be roughly 1 full day of system unavailability every year.)
- What is the quality of the data?
- The vendor must meet university standards for data integrity and accuracy. No data exchanges will occur until the university has agreed that data are meeting university standards for data quality. The university retains the right to approve the quality of data displayed on web sites; data not meeting university standards will not be displayed.
- Processes that gather, edit, modify, calculate or otherwise manipulate the data must meet university standards for data quality.
- What is the privacy and compliance of the data and operation?
The maintenance and retention of all data must comply with university Policy #860 Information Security.
- Social Security Numbers will be encrypted when stored and transmitted, and masked on display so that only the last 4 digits will display on any display, including reports. The retention period for storage of Social Security Numbers must be approved in advance by the university.
If credit cards are processed on a web site, the vendor must supply documentation of compliance to Merchant Security Review standards, including Visa’s Cardholder Information Security Program and MasterCard’s Security Data Program. Credit card numbers will not be stored unless a retention period for storage has been approved in advance by the university. If stored, credit card numbers will be encrypted when stored and transmitted, and masked on display so that only the last 4 digits will display on any display, including reports.
If financial records are processed, the vendor must supply documentation of compliance to GLBA prior to the contract being accepted by OU, and annually thereafter. Also, processing of payments must comply with university Policy #210 Cash Receipts.
- If medical record or medical insurance data are included, the data must be encrypted, and the vendor must supply documentation of compliance to HIPAA prior to the contract being accepted by OU, and annually thereafter.
- If student record data are included, the vendor must supply documentation of compliance to FERPA prior to the contract being accepted by OU, and annually thereafter.
- All data will be retained for periods approved by the university, and will be destroyed or returned to the university upon termination of the contract. The method of data destruction must be approved by the university.
- Vendor agrees to comply with all state and federal privacy and security legislation within 60 days of enactment.
- Contract review and termination
- Contract must have specific milestones for delivery, performance benchmarks, measurable results.
- Consider whether training and support should be part of the contract.
- The university retains the right to terminate the contract with 7 days notice for any reason related to the security items listed in the contract.
- The university aggressively protects copyrighted material, and all university logos, emblems, images, and gif files must be used only with university approval, and must be destroyed at the end of the contract.
- Vendor will present evidence of $1 million or more in liability insurance, and preferably cyber risk insurance.
- Review applicability of Contractual Cyber Insurance Requirements.
- How is a critical problem defined?
- What is the response window for a critical problem reported to the vendor (i.e., return contact within 4 hours of report).
- What are the hours of vendor operation, in what time zone?
___ Review of the OU Privacy Statement.
___ Review of OU information technology policies.
___ Review of OU Policy #210 Cash Receipts.
___ Review of OU Policy #860 Information Security and Policy #218 Data Entry Standards for Banner Users.
___ Review of relevant external mandates.
___ Develop data model with:
- All data elements involved in the process listed
Classification of data elements, as noted in Policy #860 Information Security, as confidential, operation critical, unrestricted.
- Documentation of the data steward for data elements and documentation of the permission from the data steward.
Documentation of the data maintenance and control method, and plan for compliance with university Policy #218 Data Entry Standards for Banner Users.
- Documentation of access controls.
___ Vendor reference check.
___ Review of general best practices from Educause with vendor.
___ Review of accidental exposure procedures.
___ Review of physical access locations and controls from vendor.
___ Review of vendor operational controls and monitoring, with acceptable system up-time guarantees.
___ Identification of any sub-contractors for the project.
___ Review of non-disclosure contract language with the Office of Risk Management.
___ Review of systems administration and maintenance guarantees in contract language with UTS and Risk Management.
___ Vendor will engage in an annual security audit, and identified vulnerabilities will be fixed or mitigated within 90 days of the audit report.
___ Web sites implemented utilizing Secure Socket Layer (SSL) with a certificate from an independent authority.
___ Web sites developed following guidelines at The Open Web Application Security Program.
___ File transmissions must be done using Secure File Transfer Protocol.
___ Acceptable event notification procedures, business continuity and disaster recovery plans.
___ Acceptable data integrity and accuracy models.
___ Review of FERPA implications and compliance.
___ Acceptable contract provisions for performance, maintenance and problem solving.
___ Acceptable contract provisions for data retention and data return to the university upon contract termination.
___ Documentation of compliance to Merchant Security Review standards, including Visa’s Cardholder Information Security Program and MasterCard’s Security Data Program, and annually thereafter, if credit card processing is involved.
___ Documentation of compliance to GLBA prior to the contract being accepted by OU, and annually thereafter.
___ If medical record or medical insurance data are included, the data must be encrypted, and the vendor must supply documentation of compliance to HIPAA prior to the contract being accepted by OU, and annually thereafter.
___ UTS security review of the data model, vendor references, security standards and discussion with vendor security contact.
___ UTS review of necessary firewall, anti-virus and patch management protections.
___ Acceptable contract termination language if security provisions are not met.
___ Review of insurance with the Office of Risk Management.
___ Information security policies have been shared with vendor.
For further help, please email <<MailTo(firstname.lastname@example.org)>>.