Educause Security Discussion mailing list archives
Re: Systems Acquisition and Development standard
From: "Patria, Patricia" <PPatria () BENTLEY EDU>
Date: Fri, 29 Jan 2010 16:19:19 -0500
Hi Eva, We just created the questionnaire a few months ago, and have only used it with one vendor so far. Beyond that, we only use it with hosted vendors storing sensitive data, so the volume of vendors completing this questionnaire is not unmanageable. Relative to the open-ended format, based on the response we received from our first vendor, we actually had more comments to read when they answered Yes to a question then No or N/A. The information provided was often informational vs. details that required further analysis. Having said that, the vendor did not always provide a comment when they responded with an N/A or No, but we were able to get enough information from the responses to approve their security measures and move forward with the service. Hope that helps. Patty -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lorenz, Eva Sent: Friday, January 29, 2010 1:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Systems Acquisition and Development standard We use a set of standards that are based on the degree of data security required. See http://its.unc.edu/InfoSecurity/proposed-policies/index.htm under Information Security Standards Policy, the right hand column lists the standards in table format. For an analysis of the risk, hosted situations are the most tricky, especially if multiple parties on the vendor side are involved. I try to encourage users to identify whether the party signing the contract is actually doing the controls or if they contract with someone else. We try to straighten out who is responsible for which control to avoid fingerpointing later on, in case something goes wrong and each party thought it was someone else's responsibility to scan for OS vulnerabilities versus applications vulnerabilities. I like Patty's questionnaire a lot. Patty, this is a great list of questions and I like the open-ended format of the NO and NA options. My only concern would be about a time involvement to analyze the "further information" response. In your experience, does the further information piece take significant time to analyze or do you see common answers, such as subcontract with party XX? Thanks - Eva Eva Lorenz Ph.D., J.D., ITv3F ITS Security 2800 ITS Manning 211 Manning Dr CB3420 Chapel Hill NC 27599 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Patria, Patricia Sent: Friday, January 29, 2010 12:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Systems Acquisition and Development standard Hi Ben, For hosted applications that store sensitive data, we use the attached Third Party Assurance Questionnaire. For applications that reside at Bentley, we require a Functional Analysis document to be completed (http://www.bentley.edu/administrative-systems/policies-and-procedures.cfm), which is reviewed by many different members of IT. Hope that helps. Patty Patty Patria Chief Information Security Administrator | Bentley University 175 Forest Street, Waltham, MA 02452 |781.891.2364 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben Woelk Sent: Friday, January 29, 2010 10:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Systems Acquisition and Development standard We are drafting a systems acquisition and development standard with the goal of ensuring that information security is considered and that proposed purchases/development are reviewed by our office. I've found some good resources online. Does anyone have a standard/policy/requirements document they can share? Thanks, Ben Woelk Information Security Communications and Training Specialist Rochester Institute of Technology 151 Lomb Memorial DR Ross 10-A204 Rochester, NY 14623 585-475-4122
Current thread:
- Systems Acquisition and Development standard Ben Woelk (Jan 29)
- <Possible follow-ups>
- Re: Systems Acquisition and Development standard Patria, Patricia (Jan 29)
- Re: Systems Acquisition and Development standard James C. Farr '05 (Jan 29)
- Re: Systems Acquisition and Development standard Lorenz, Eva (Jan 29)
- Re: Systems Acquisition and Development standard Patria, Patricia (Jan 29)
- Re: Systems Acquisition and Development standard David Escalante (Jan 29)
- Re: Systems Acquisition and Development standard Ozzie Paez (Jan 29)