Educause Security Discussion mailing list archives
Re: IT Security in Purchases and Contracts
From: Theresa M Rowe <rowe () OAKLAND EDU>
Date: Tue, 4 Sep 2007 12:39:20 -0400
We've tried to address this with outsourced and ASP solutions first. We've separated these with the reasoning that in these situations, our data are going somewhere else to live, and really the goal of our security practice is protecting the data. On our web site: http://www2.oakland.edu/uts/policies.cfm Click on Outsourcing, Hosting and Application Service Providers (red words are all clickable) Departments first have to review the Checklist. Vendors have to submit the Standards document, and depending on the situation, the Mutual Non-Disclosure Agreement. If we are happy with the documents, the purchase can proceed. The submitted documents are turned in with the contracts to our Office of the General Counsel. The attorney writes the material in as an exhibit. For software and systems that we are buying for in-house installation, we write the security requirements into the RFP. Vendors must respond to specifics in the RFP. That security response is a consideration when making the final purchase decision. We then work with our legal department to finalize the requirements into the contract. Theresa ---- Original message ----
Date: Tue, 4 Sep 2007 08:37:18 -0600 From: Eric Galyon <Eric.Galyon () CUSYS EDU> Subject: [SECURITY] IT Security in Purchases and Contracts To: SECURITY () LISTSERV EDUCAUSE EDU I've attempting to research Higher Education practices in extending University IT security policies to contracts and purchases. I'm interested in speaking with any institution that has either: 1) Created specific processes which enforce specific reviews and/or approvals of IT security aspects prior to purchase authorization. 2) Introduced specific written language into contracts, service arrangement agreements, or RFPs requiring vendors to meet University IT security policy requirements. I'd be interested in knowing about institutions that have tackled either of these issues; contact information would be a plus. I'll gladly summarize my results and post them back to this list for others. Thanks, Eric Galyon Technical Security Specialist Office of Information Security University of Colorado (303) 492-9419 Eric.Galyon () cusys edu
Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services
Current thread:
- IT Security in Purchases and Contracts Eric Galyon (Sep 04)
- <Possible follow-ups>
- Re: IT Security in Purchases and Contracts Theresa M Rowe (Sep 04)
- Re: IT Security in Purchases and Contracts Sarah Stevens (Sep 04)
- Re: IT Security in Purchases and Contracts Sarah Stevens (Sep 04)
- Re: IT Security in Purchases and Contracts Eric Galyon (Sep 07)
- Re: IT Security in Purchases and Contracts Friedmann, Esther (Sep 10)