Security Checklist for Hosted IT Services
叠补肠办驳谤辞耻苍诲听
California State University, Northridge is engaging in business where university data are collected, transmitted, or processed under contracted third-party arrangements. In many of these situations, a network-accessible service is developed by a vendor to collect, transmit, or process data on behalf of a 快活林性息 department. The university may also send data collected by the university for further processing or storage by a contracted third-party vendor. The 快活林性息 Information Security Office (ISO) has created this checklist to assist purchasing project sponsor(s) in addressing risk management, contract review, and ongoing vendor management, with the goal of minimizing the risk to university data.
The ISO expects the purchasing project sponsor(s) to have determined whether or not existing university services can be utilized to ensure coherence, consistency, and elimination of redundancy prior to pursuing third-party services.聽
Determining the Need for a Security Assessment
A security assessment or review is required if any of the following apply to the project:
- The project involves transferring any university data classified as Level 1 or Level 2, or otherwise sensitive, from a university-owned device to a third-party contracted device.
- The project involves contracting with a vendor who will create a network-accessible service on behalf of 快活林性息 to collect, transmit, or process any university data classified as Level 1 or Level 2, or otherwise sensitive.
- The project requires that a contracted third party collect or process any university data classified as Level 1 or Level 2, or otherwise sensitive, that will later be transmitted for use by 快活林性息.
- The project requires that a third party process payment card information on behalf of 快活林性息.
The purchasing project sponsor(s) can elect to have an ISO approved third-party conduct the security assessment or can submit a request for assistance to the Information Security Office,聽iso@csun.edu. The security assessment must consider all applicable provisions of the聽.
Assess Compliance with University Policies
The purchasing project sponsor(s) shall review the聽.听听
All contracts that involve the storing or movement of 快活林性息 employee or staff data must have the聽聽in the contract as is or reviewed by the ISO.聽
The purchasing project sponsor(s) should note that certain types of data require the university to comply with external mandates. Such mandates include, but are not limited to:
Data management plans must conform to all applicable mandates. If there are any questions regarding policy interpretation or compliance, please contact the Information Security Office at聽iso@csun.edu.
System Security Assessment
The systems used to process, transmit, or store data must be reviewed prior to formalizing and executing the agreement by the Purchasing & Contract Administration office. References from other clients should be obtained prior to formalizing the agreement. The purchasing project sponsor(s) is responsible for ensuring that a system security assessment is conducted. An approved assessment by an Information Security Officer must be noted on the purchase requisition in order for the Purchasing & Contract Administration office to release a Purchase Order.聽The Information Security Office is available to assist in performing a聽security assessment聽based on priority and availability.聽
If you have any comments or suggestions, please contact the聽Information Security Office聽at聽iso@csun.edu.
Review of Contract Details
The Information Security Office can assist in the review of contract details upon request and based on priority and availability. The Purchasing & Contract Administration office will require an approved assessment, as well as an approved聽聽form, and may require specific language in a contract . In general, the following items must be assessed
1.1聽 Data access shall be limited to those with a "need to know" and controlled by specific individual(s). The vendor must have procedures and solutions implemented to prevent unauthorized access, and the procedures will be documented and available for 快活林性息 to review upon request. All of the vendor's employees with access to university data must be identified and names provided to the university upon request.
1.2聽 Unauthorized exposures of university data shall result in the vendor notifying 快活林性息 immediately for Level 1 data and within twenty four hours for Level 2 and other 快活林性息 data. No notification to individual 快活林性息 constiuents shall be made to those affected by the unauthorized exposure of the university's data until the vendor has consulted with 快活林性息 officials.
1.3聽 Physical access to facilities where data are stored must be limited and controlled. Any damage or unauthorized access to facilities must be reported to the university within 24 hours of its discovery. If any unauthorized access to university data occurred, the vendor must consult with 快活林性息 officials before notifying those affected by the unauthorized access to this data.
1.4聽 Standard non-disclosure language must be included, with protection to keep information private and confidential, except as specifically provided for in the contract. Data shall not be shared with or sold to third parties.
2.1聽聽All the vendor's systems handling university data must comply with the 快活林性息 standards for Level 1 and Level 2 data.
2.2聽聽All systems and applications shall regularly undergo vulnerability assessments, such as testing patch level, password security, and application security.
2.3聽聽Routine event monitoring will be performed by the vendor; the university expects that the vendor will routinely and immediately identify events related to unauthorized activity and unauthorized access.
2.4聽聽The vendor should undergo regular security audits, preferably by certified third parties, occurring at least annually, and any identified issues must be resolved or mitigated within 90 days of the audit report. The university may demand written proof of this audit at any time during the duration of the contract.
2.5聽聽All services that gather Level 1 and Level 2 or otherwise sensitive information must utilize secure communications methods, such as SSl, and use a certificate from an approved independent authority, for example, Comodo, if certificates are required.
2.6聽聽All file transmissions involving Level 1 or Level 2 or otherwise sensitive data must utilize secure communication methods; for example, SSL, SCP, SSH, SFTP.
2.7聽 Any Level 1 and Level 2 data must be stored on servers physically in the United States.
2.8听Authentication for cloud vendors should support CAS or Shibboleth.
3.1聽聽The purchasing project sponsor(s) shall detail the specific backup requirements for systems, files, and data. The vendor must agree to the required time periods and processes. For example, if a department determines that no more than the previous 24 hours of data may be lost, the vendor must be able to comply with that requirement.
3.2聽聽The vendor must have a documented disaster recovery plan.
3.3聽聽The vendor must have a secure secondary off-site storage location for university data. The university must approve the location of the off-site storage, and the university retains the rights to reject the location for security or availability reasons and to recommend another location.
3.4聽聽The purchasing project sponsor(s) shall detail the specific system uptime requirements for the service and the vendor will agree to the availability requirements. An example of availability requirements might be expressed as, "Guaranteed to 99.9 percent each year or no more than 8 hours and 45 minutes of downtime every year."
4.1聽聽The vendor must be able to maintain the integrity and accuracy of the data it manages for the university. No data exchanges will occur until the university has agreed that the data meets any specified university requirements for accuracy and integrity. The university retains the right to approve or reject the data displayed on Web sites; the display of data not meeting university standards will not be allowed.
4.2聽聽Processes that gather, edit, modify, or otherwise manipulate data must meet university standards for data quality.
5.1聽聽The maintenance and retention of all data must comply with the university data retention schedule.
5.2聽聽The Information Security Office must explicitly authorize the disclosure of Social Security numbers to any vendor.
5.3聽聽Social Security numbers shall be encrypted when stored and transmitted, and masked on displays and reports.
5.4聽聽If credit cards are processed via a network-based service, the vendor must supply a copy of their PCI certificate where cardholder data is transacted, used or stored. 聽Credit card numbers shall not be stored unless the university has approved a retention period for storage in advance
5.5聽聽Credit card numbers will be encrypted when stored and transmitted, and masked on displays and reports.
5.6聽聽If financial records are processed, the vendor must supply documentation of compliance to GLBA prior to the contract being accepted by the university, and annually thereafter.
5.7聽聽All payment processing must comply with university cash management policy.
5.8聽聽If medical record or medical insurance data is included, the data must be encrypted, and the vendor must supply documentation of compliance to HIPAA prior to the contract being accepted by the university, and annually thereafter.
5.9聽聽If student record data is included, the vendor must supply documentation of compliance to FERPA prior to the contract being accepted by the university, and annually thereafter.
5.10聽聽The vendor must supply documentation of compliance with all other legislation as dictated by applicable laws and university policies.
5.11聽聽All data will be retained for periods approved by the university and will be destroyed or returned to the university upon termination of the contract. The method of data destruction must be approved by the university and must be compliant with 快活林性息 policies.
5.12聽聽Vendor agrees to comply with all state of California and federal legislation within 60 days of enactment.
6.1聽聽The university retains the right to terminate the contract with 30 days' notice for any reason related to the security items listed in the contract.
6.2聽聽The university aggressively protects copyrighted material, and all university trademarks, logos, emblems, images, and graphics files must be used only with university approval, and must be destroyed at the end of the contract.
7.1聽 The vendor will present evidence of $1 million or more in liability insurance, and preferably cyber risk insurance. (FYI, insurance is required for services regardless of risk. Hosting is a service so insurance WILL be required ($1M/$2M).)
7.2聽 Review applicability of contractual cyber insurance requirements.