Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: IT Security in Purchases and Contracts
From: Theresa M Rowe <rowe () OAKLAND EDU>
Date: Tue, 4 Sep 2007 12:39:20 -0400

We've tried to address this with outsourced and ASP solutions first.  We've separated these with the reasoning that in 
these situations, our data are going somewhere else to live, and really the goal of our security practice is protecting 
the data.

On our web site:  http://www2.oakland.edu/uts/policies.cfm
Click on Outsourcing, Hosting and Application Service Providers  (red words are all clickable)

Departments first have to review the Checklist.
Vendors have to submit the Standards document, and depending on the situation, the Mutual Non-Disclosure Agreement.

If we are happy with the documents, the purchase can proceed.  The submitted documents are turned in with the contracts 
to our Office of the General Counsel.  The attorney writes the material in as an exhibit.

For software and systems that we are buying for in-house installation, we write the security requirements into the RFP. 
 Vendors must respond to specifics in the RFP.  That security response is a consideration when making the final 
purchase decision.  We then work with our legal department to finalize the requirements into the contract.

Theresa



---- Original message ----
Date: Tue, 4 Sep 2007 08:37:18 -0600
From: Eric Galyon <Eric.Galyon () CUSYS EDU>
Subject: [SECURITY] IT Security in Purchases and Contracts
To: SECURITY () LISTSERV EDUCAUSE EDU

  I've attempting to research Higher Education
  practices in extending University IT security
  policies to contracts and purchases.  I'm interested
  in speaking with any institution that has either:



  1)  Created specific processes which enforce
  specific reviews and/or approvals of IT security
  aspects prior to purchase authorization.



  2)  Introduced specific written language into
  contracts, service arrangement agreements, or RFPs
  requiring vendors to meet University IT security
  policy requirements.



  I'd be interested in knowing about institutions that
  have tackled either of these issues; contact
  information would be a plus.  I'll gladly summarize
  my results and post them back to this list for
  others.



  Thanks,



  Eric Galyon

  Technical Security Specialist

  Office of Information Security

  University of Colorado

  (303) 492-9419

  Eric.Galyon () cusys edu


Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]