Re: Systems Acquisition and Development standard

["Patria, Patricia" <PPatria () BENTLEY EDU>]

Hi Eva,

We just created the questionnaire a few months ago, and have only used it with one vendor so far. Beyond that, we only 
use it with hosted vendors storing sensitive data, so the volume of vendors completing this questionnaire is not 
unmanageable.

Relative to the open-ended format, based on the response we received from our first vendor, we actually had more 
comments to read when they answered Yes to a question then No or N/A. The information provided was often informational 
vs. details that required further analysis.

Having said that, the vendor did not always provide a comment when they responded with an N/A or No, but we were able 
to get enough information from the responses to approve their security measures and move forward with the service.

Hope that helps.

Patty 


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lorenz, 
Eva
Sent: Friday, January 29, 2010 1:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Systems Acquisition and Development standard

We use a set of standards that are based on the degree of data security required. See 
http://its.unc.edu/InfoSecurity/proposed-policies/index.htm under Information Security Standards Policy, the right hand 
column lists the standards in table format.
For an analysis of the risk, hosted situations are the most tricky, especially if multiple parties on the vendor side 
are involved. I try to encourage users to identify whether the party signing the contract is actually doing the 
controls or if they contract with someone else. We try to straighten out who is responsible for which control to avoid 
fingerpointing later on, in case something goes wrong and each party thought it was someone else's responsibility to 
scan for OS vulnerabilities versus applications vulnerabilities.

I like Patty's questionnaire a lot. 

Patty, this is a great list of questions and I like the open-ended format of the NO and NA options. My only concern 
would be about a time involvement to analyze the "further information" response. In your experience, does the further 
information piece take significant time to analyze or do you see common answers, such as subcontract with party XX?

Thanks - Eva



Eva Lorenz Ph.D., J.D., ITv3F
ITS Security
2800 ITS Manning
211 Manning Dr
CB3420
Chapel Hill NC 27599


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Patria, 
Patricia
Sent: Friday, January 29, 2010 12:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Systems Acquisition and Development standard

Hi Ben,

For hosted applications that store sensitive data, we use the attached Third Party Assurance Questionnaire.

For applications that reside at Bentley, we require a Functional Analysis document to be completed 
(http://www.bentley.edu/administrative-systems/policies-and-procedures.cfm), which is reviewed by many different 
members of IT.

Hope that helps.

Patty


Patty Patria
Chief Information Security Administrator | Bentley University
175 Forest Street, Waltham, MA 02452 |781.891.2364

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben Woelk
Sent: Friday, January 29, 2010 10:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Systems Acquisition and Development standard

We are drafting a systems acquisition and development standard with the goal of ensuring that information security is 
considered and that proposed purchases/development are reviewed by our office. I've found some good resources online. 
Does anyone have a standard/policy/requirements document they can share?

Thanks,
Ben Woelk
Information Security Communications and Training Specialist Rochester Institute of Technology
151 Lomb Memorial DR
Ross 10-A204
Rochester, NY 14623

585-475-4122