Re: Security for vendors that manage student data

[Brad Judy <brad.judy () CU EDU>]

Our security teams have approval steps in the contracting workflows for particular types of purchases (like IT 
services) and purchases cannot complete the process without review and approval. We have a set of standard security 
contract language that we insert into agreements with vendors handling university data in general. Typically the 
procurement team adds this standard language along with other standard changes to the vendor and once the vendor 
returns their redline version, the security team is engaged in the process.

Naturally, this ends up being a negotiation with some back and forth so the language doesn’t end up identical in each 
contract.  We also have some additional sections that are added for cases like student data or payment card processing.

We commonly ask for things like a CSA controls matrix, HECVAT, SOC2 or other assertion. Depending on the situation, we 
may ask to see copies of security assessments or audits. Our job is to characterize risk for business decision makers 
(note that the group making the purchase isn’t always the business decision maker about risk) rather than making the 
decision about what vendors to use ourselves.

This is just on the contract side and is separate from security engagement on the design/technology side. Engagement on 
that side depends greatly on who is doing the purchasing. We have good tie-ins with the central IT departments and 
their project processes, and a solid process around anything involving payment card processing.  In those situations, 
we may be directly involved in technical design or design review. However, there’s a lot of room for improvement in 
awareness of smaller, departmental initiatives.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[cu-logo_fl]


From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Kimmitt, Jonathan" <jonathan-kimmitt () 
UTULSA EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Wednesday, August 7, 2019 at 8:03 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Security for vendors that manage student data

Hi all,

  When you are evaluating a 3rd party vendors to process/manage your student data, specifically if you are transferring 
the data to them in a feed/file transfer, what security requirements do you require or look for in the MSA for that 
company?

I have a checklist that external counsel and I created years ago, looking for a handful of specific things.

One of them is specifically:

      12.  Do you have external evaluation of your systems, processes, and/or code (that deals with our student data) 
by qualified security assessors (Penetration Testing, 3rd party code review, SOC2 analysis, etc)


If the company responds with ‘No’, I am very cautious about the company.  It does not necessarily mean we won’t use 
them, but I do explain to the department my reservations.

I wanted to get thoughts from the group on if you do something similar when evaluating Master Service Agreements for 
your University?

-Jonathan


~
Jonathan Kimmitt
CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community