Educause Security Discussion mailing list archives
Re: Vendors, the Internet and PII
From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Thu, 19 Nov 2009 09:30:57 -0500
The risks don't change based on the cost of the service so I would start with the same contractual provisions you would use for a $300,000 contract or even a $3mil contract that involves similar data. Their tolerance for all those provisions may be less but that can be hashed out as part of the negotiation process. We typically sell our vendor audit provisions as a service to them given that we would share the results and, in our own humble opinion, we'd be providing a comparable service that they would otherwise have to pay a consulting company a great deal of money for. I'm assuming based on the charge of only $300/year that they're a smaller company so they may even be more agreeable to your terms than a larger company would be. It's a free assessment! As far as requiring a SAS-70, I rarely find them valuable from a security standpoint so I tend to not care too much if a smaller company is not performing them regularly (or at all for that matter). If you are, great, send me the report. If not, nbd. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel Sent: Wednesday, November 18, 2009 4:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Vendors, the Internet and PII Hi, I just had a sys admin call me because his department wants to use a 3rd party vendor who makes web forms and processes PII data. The cost is $300 a year. The prospective students would enter their data (including PII), the 3rd party vendor would provide the forms, and then transmit the data back to the campus record keeping application, creating a file. The form would be in https, and the transmission would be encrypted, according to my admin. Now, when we give somebody $30,000 or $300,000 to process our work, I would think nothing of asking for some IT Security controls assurance (being allowed to audit, SAS-70 t2, etc.) But when you're giving them your PII and only paying $300, what would be reasonable assurance? We have an E-Commerce group, so I sent him there for guidance, but I was curious what the group thought. My instinct is to require the same controls I would if they were processing credit card transactions, but how to prove they are in place and effective is a question I have. Thanks, http://media.umassp.edu/pix/mail/umass.gif :: Daniel Sarazen, Senior Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 774-455-7558 :: 781-724-3377 Cell :: 774-455-7550 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : <http://www.massachusetts.edu/> www.massachusetts.edu
Current thread:
- Vendors, the Internet and PII Sarazen, Daniel (Nov 18)
- <Possible follow-ups>
- Re: Vendors, the Internet and PII Doug Markiewicz (Nov 19)