Vendors, the Internet and PII

["Sarazen, Daniel" <dsarazen () UMASSP EDU>]

Hi,

 

I just had a sys admin call me because his department wants to use a 3rd
party vendor who makes web forms and processes PII data. The cost is
$300 a year. The prospective students would enter their data (including
PII), the 3rd party vendor would provide the forms, and then transmit
the data back to the campus record keeping application, creating a file.
The form would be in https, and the transmission would be encrypted,
according to my admin. 

 

Now, when we give somebody $30,000 or $300,000 to process our work, I
would think nothing of asking for some IT Security controls assurance
(being allowed to audit, SAS-70 t2, etc.) But when you're giving them
your PII and only paying $300, what would be reasonable assurance?

 

We have an E-Commerce group, so I sent him there for guidance, but I was
curious what the group thought. 

 

My instinct is to require the same controls I would if they were
processing credit card transactions, but how to prove they are in place
and effective is a question I have. 

 

Thanks,

 

 

 

 

:: Daniel Sarazen, Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558

:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen () umassp edu <mailto:Dsarazen () umassp edu> 


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/>