Educause Security Discussion
mailing list archives
Re: IT Security in Purchases and Contracts
From: Theresa M Rowe <rowe () OAKLAND EDU>
Date: Tue, 4 Sep 2007 12:39:20 -0400
We've tried to address this with outsourced and ASP solutions first. We've separated these with the reasoning that in
these situations, our data are going somewhere else to live, and really the goal of our security practice is protecting
On our web site: http://www2.oakland.edu/uts/policies.cfm
Click on Outsourcing, Hosting and Application Service Providers (red words are all clickable)
Departments first have to review the Checklist.
Vendors have to submit the Standards document, and depending on the situation, the Mutual Non-Disclosure Agreement.
If we are happy with the documents, the purchase can proceed. The submitted documents are turned in with the contracts
to our Office of the General Counsel. The attorney writes the material in as an exhibit.
For software and systems that we are buying for in-house installation, we write the security requirements into the RFP.
Vendors must respond to specifics in the RFP. That security response is a consideration when making the final
purchase decision. We then work with our legal department to finalize the requirements into the contract.
---- Original message ----
Date: Tue, 4 Sep 2007 08:37:18 -0600
From: Eric Galyon <Eric.Galyon () CUSYS EDU>
Subject: [SECURITY] IT Security in Purchases and Contracts
To: SECURITY () LISTSERV EDUCAUSE EDU
I've attempting to research Higher Education
practices in extending University IT security
policies to contracts and purchases. I'm interested
in speaking with any institution that has either:
1) Created specific processes which enforce
specific reviews and/or approvals of IT security
aspects prior to purchase authorization.
2) Introduced specific written language into
contracts, service arrangement agreements, or RFPs
requiring vendors to meet University IT security
I'd be interested in knowing about institutions that
have tackled either of these issues; contact
information would be a plus. I'll gladly summarize
my results and post them back to this list for
Technical Security Specialist
Office of Information Security
University of Colorado
Eric.Galyon () cusys edu
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services