Re: Vendors, the Internet and PII

[Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>]

The risks don't change based on the cost of the service so I would start
with the same contractual provisions you would use for a $300,000 contract
or even a $3mil contract that involves similar data.  Their tolerance for
all those provisions may be less but that can be hashed out as part of the
negotiation process.  We typically sell our vendor audit provisions as a
service to them given that we would share the results and, in our own humble
opinion, we'd be providing a comparable service that they would otherwise
have to pay a consulting company a great deal of money for.  I'm assuming
based on the charge of only $300/year that they're a smaller company so they
may even be more agreeable to your terms than a larger company would be.
It's a free assessment!  As far as requiring a SAS-70, I rarely find them
valuable from a security standpoint so I tend to not care too much if a
smaller company is not performing them regularly (or at all for that
matter).  If you are, great, send me the report.  If not, nbd.



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel
Sent: Wednesday, November 18, 2009 4:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Vendors, the Internet and PII

Hi,

I just had a sys admin call me because his department wants to use a 3rd
party vendor who makes web forms and processes PII data. The cost is $300 a
year. The prospective students would enter their data (including PII), the
3rd party vendor would provide the forms, and then transmit the data back to
the campus record keeping application, creating a file. The form would be in
https, and the transmission would be encrypted,  according to my admin.

Now, when we give somebody $30,000 or $300,000 to process our work, I would
think nothing of asking for some IT Security controls assurance (being
allowed to audit, SAS-70 t2, etc.) But when you're giving them your PII and
only paying $300, what would be reasonable assurance?

We have an E-Commerce group, so I sent him there for guidance, but I was
curious what the group thought.

My instinct is to require the same controls I would if they were processing
credit card transactions, but how to prove they are in place and effective
is a question I have.

Thanks,




http://media.umassp.edu/pix/mail/umass.gif
:: Daniel Sarazen, Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558
:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen () umassp edu

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 :  <http://www.massachusetts.edu/> www.massachusetts.edu