Educause Security Discussion
mailing list archives
Re: IT Security in Purchases and Contracts
From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Tue, 4 Sep 2007 21:20:58 -0700
Your purpose for asking this question may just be for research purposes. However, I am very interested in this topic
and have some thoughts that I would like to share. I would really like to get input from institutions about my
Eric et al,
We utilize the recommendations in the NIST 800 series documents regarding updating contracts and other documents to
ensure that IT Security is part of the proposal. One suggestion that I would make is to ensure that any system,
application, or the like undergoes a Certification and Accreditation (C&A) process prior to purchase/use by the
University. Government agencies have begun to institute a C&A requirement for all of their vendors, especially since
the advent of the confusion regarding the recent VA incidents.
The difficulty in instituting a bona fide C&A requirement process in the academic environment is the lack of a
certification and accreditation process for academic institutions' information systems that are internally owned and
operated. Academic institutions are required to show compliance with FERPA, HIPAA and now, in many cases, even FISMA
in order to maintain federal and state funding. A NIST 800-37 certification and accreditation process would allow
institutions to implement reasonable information security measures that would ultimately enhance the information
security maturity model of the institution while allowing compliance with high visibility information security
mandates, such as those mentioned above.
So, you may ask, why would we listen to NIST and who would give them the authority to provide standards and guidelines
that could apply to our educational institution? First, you should know, the National Institute of Standards and
Technology has statutory responsibilities under the Federal Information Security Management Act of 2002 to provide
minimum standards and guidelines to federal agencies attempting to comply with the FISMA of 2002. Although academic
institutions have not traditionally (This is changing as you will see in a later note in this message.) been required
to show compliance with FISMA, the framework provided by NIST is a terrific framework for any institution to start with
when attempting to mature their information security model. So, where is an educational institution to start? How
should they determine whether to spend money updating their firewall policies or external vendor policies first? How
can an agency possibly decide what holes to patch and how to patch those holes without causing the entire dam to cave
in from lack of stability? The answer to this question is simple, start at the beginning...a very good place to start.
When you read you begin with A, B, C. When you perform information security, you begin with N-I-S-T 800-30.....ok, so
maybe it doesn't have a great ring to it in the song, but it is a great place to start.
Perform your risk assessment. Determine your risks before you begin to remediate your information security problems.
Once you have started evaluating your risks, you may start to put a plan together to resolve the identified issues.
Assuming that you are at that point in your information security program now, let's pick up NIST 800-18 and start our
information system security plan. As you work through NIST 800-18, and begin to select your controls from NIST 800-53,
you will undoubtedly be updating your original risk assessment as you begin to consider information security controls
that you never thought about before. This is a topic of particular interest to me, and so I could easily go into a
very long diatribe about the process and go on and on about expectations. However, I have now wasted two large
paragraphs of space on a side note that does not necessarily apply to the question that you hope to answer.
I think the bottom line is that you have to expect your vendors to adhere to the same information security standards
and policies that you adhere to as an institution. In government, we use what we refer to as "Flow Down Clauses."
This means that if your internal systems have to comply, so does every contractor, subcontractor, etc., etc.
Government RFPs list each of these requirements as an additional item that must be adhered. As a matter of fact, as
grantee institutions, you may not realize that if you are getting federal funding for your program from NSF, VA, and
many other agencies that provide funding, you may be required to comply with FISMA yourself as a "Flow Down Clause" in
your funding contract. These contracts may be a very good place to start when determining verbiage for written language
in contracts, service arrangement agreements, and RFPs that mandate vendor compliance with university IT security
policy. If these contracts do indeed require your participation and involvement in information security, you could
easily see what to require of your vendors whom will be supporting such programs of the university.
You asked about specific processes to enforce review and/or approval of IT security policies. The specific reviews
required could be based upon a certification and accreditation process prescribed by the university. If you do have a
C&A process, insist that vendors go through the same rigor as your internal support systems must endure. Your policy
may say "
CA-3 INFORMATION SYSTEM CONNECTIONS
Control: The organization authorizes all connections from the information system to other information systems outside
of the accreditation boundary and monitors/controls the system interconnections on an ongoing basis. Appropriate
organizational officials approve information system interconnection agreements.
Supplemental Guidance: Since FIPS 199 security categorizations apply to individual information systems, the
organization should carefully consider the risks that may be introduced when systems are connected to other information
systems with different security requirements and security controls, both within the organization and external to the
organization. Risk considerations should also include information systems sharing the same networks. NIST Special
Publication 800-47 provides guidance on interconnecting information systems. (NIST 800-53 pg. 55)
This is basically indicating that any system that connects to the university information systems (could include
hardware, software, etc.) must undergo approvals prior to connection, and must be monitored on an ongoing basis (as
should internal controls).
Anyway, I obviously find this topic fascinating and would love to talk about any of the many details of this email
overview in detail at anytime. I am encouraged that universities are starting to consider information security
paramount to the success of their mission.
Stevens Technologies, Inc.
(704) 625-8842 x 500
From: Eric Galyon [mailto:Eric.Galyon () CUSYS EDU]
Sent: Tue 9/4/2007 7:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] IT Security in Purchases and Contracts
I've attempting to research Higher Education practices in extending University IT security policies to contracts and
purchases. I'm interested in speaking with any institution that has either:
1) Created specific processes which enforce specific reviews and/or approvals of IT security aspects prior to purchase
2) Introduced specific written language into contracts, service arrangement agreements, or RFPs requiring vendors to
meet University IT security policy requirements.
I'd be interested in knowing about institutions that have tackled either of these issues; contact information would be
a plus. I'll gladly summarize my results and post them back to this list for others.
Technical Security Specialist
Office of Information Security
University of Colorado
Eric.Galyon () cusys edu