Educause Security Discussion mailing list archives
Re: Security for vendors that manage student data
From: Brad Judy <brad.judy () CU EDU>
Date: Wed, 7 Aug 2019 14:34:09 +0000
Our security teams have approval steps in the contracting workflows for particular types of purchases (like IT services) and purchases cannot complete the process without review and approval. We have a set of standard security contract language that we insert into agreements with vendors handling university data in general. Typically the procurement team adds this standard language along with other standard changes to the vendor and once the vendor returns their redline version, the security team is engaged in the process. Naturally, this ends up being a negotiation with some back and forth so the language doesn’t end up identical in each contract. We also have some additional sections that are added for cases like student data or payment card processing. We commonly ask for things like a CSA controls matrix, HECVAT, SOC2 or other assertion. Depending on the situation, we may ask to see copies of security assessments or audits. Our job is to characterize risk for business decision makers (note that the group making the purchase isn’t always the business decision maker about risk) rather than making the decision about what vendors to use ourselves. This is just on the contract side and is separate from security engagement on the design/technology side. Engagement on that side depends greatly on who is doing the purchasing. We have good tie-ins with the central IT departments and their project processes, and a solid process around anything involving payment card processing. In those situations, we may be directly involved in technical design or design review. However, there’s a lot of room for improvement in awareness of smaller, departmental initiatives. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [cu-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Wednesday, August 7, 2019 at 8:03 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Security for vendors that manage student data Hi all, When you are evaluating a 3rd party vendors to process/manage your student data, specifically if you are transferring the data to them in a feed/file transfer, what security requirements do you require or look for in the MSA for that company? I have a checklist that external counsel and I created years ago, looking for a handful of specific things. One of them is specifically: 12. Do you have external evaluation of your systems, processes, and/or code (that deals with our student data) by qualified security assessors (Penetration Testing, 3rd party code review, SOC2 analysis, etc) If the company responds with ‘No’, I am very cautious about the company. It does not necessarily mean we won’t use them, but I do explain to the department my reservations. I wanted to get thoughts from the group on if you do something similar when evaluating Master Service Agreements for your University? -Jonathan ~ Jonathan Kimmitt CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E Chief Information Security Officer Information Technology The University of Tulsa 918.631.2743 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Security for vendors that manage student data Kimmitt, Jonathan (Aug 07)
- <Possible follow-ups>
- Re: Security for vendors that manage student data Brad Judy (Aug 07)
- Re: Security for vendors that manage student data King, Ronald A. (Aug 07)