Educause Security Discussion mailing list archives
Re: IT Security in Purchases and Contracts
From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Tue, 4 Sep 2007 21:20:58 -0700
Eric, Your purpose for asking this question may just be for research purposes. However, I am very interested in this topic and have some thoughts that I would like to share. I would really like to get input from institutions about my thoughts below. Eric et al, We utilize the recommendations in the NIST 800 series documents regarding updating contracts and other documents to ensure that IT Security is part of the proposal. One suggestion that I would make is to ensure that any system, application, or the like undergoes a Certification and Accreditation (C&A) process prior to purchase/use by the University. Government agencies have begun to institute a C&A requirement for all of their vendors, especially since the advent of the confusion regarding the recent VA incidents. The difficulty in instituting a bona fide C&A requirement process in the academic environment is the lack of a certification and accreditation process for academic institutions' information systems that are internally owned and operated. Academic institutions are required to show compliance with FERPA, HIPAA and now, in many cases, even FISMA in order to maintain federal and state funding. A NIST 800-37 certification and accreditation process would allow institutions to implement reasonable information security measures that would ultimately enhance the information security maturity model of the institution while allowing compliance with high visibility information security mandates, such as those mentioned above. So, you may ask, why would we listen to NIST and who would give them the authority to provide standards and guidelines that could apply to our educational institution? First, you should know, the National Institute of Standards and Technology has statutory responsibilities under the Federal Information Security Management Act of 2002 to provide minimum standards and guidelines to federal agencies attempting to comply with the FISMA of 2002. Although academic institutions have not traditionally (This is changing as you will see in a later note in this message.) been required to show compliance with FISMA, the framework provided by NIST is a terrific framework for any institution to start with when attempting to mature their information security model. So, where is an educational institution to start? How should they determine whether to spend money updating their firewall policies or external vendor policies first? How can an agency possibly decide what holes to patch and how to patch those holes without causing the entire dam to cave in from lack of stability? The answer to this question is simple, start at the beginning...a very good place to start. When you read you begin with A, B, C. When you perform information security, you begin with N-I-S-T 800-30.....ok, so maybe it doesn't have a great ring to it in the song, but it is a great place to start. Perform your risk assessment. Determine your risks before you begin to remediate your information security problems. Once you have started evaluating your risks, you may start to put a plan together to resolve the identified issues. Assuming that you are at that point in your information security program now, let's pick up NIST 800-18 and start our information system security plan. As you work through NIST 800-18, and begin to select your controls from NIST 800-53, you will undoubtedly be updating your original risk assessment as you begin to consider information security controls that you never thought about before. This is a topic of particular interest to me, and so I could easily go into a very long diatribe about the process and go on and on about expectations. However, I have now wasted two large paragraphs of space on a side note that does not necessarily apply to the question that you hope to answer. I think the bottom line is that you have to expect your vendors to adhere to the same information security standards and policies that you adhere to as an institution. In government, we use what we refer to as "Flow Down Clauses." This means that if your internal systems have to comply, so does every contractor, subcontractor, etc., etc. Government RFPs list each of these requirements as an additional item that must be adhered. As a matter of fact, as grantee institutions, you may not realize that if you are getting federal funding for your program from NSF, VA, and many other agencies that provide funding, you may be required to comply with FISMA yourself as a "Flow Down Clause" in your funding contract. These contracts may be a very good place to start when determining verbiage for written language in contracts, service arrangement agreements, and RFPs that mandate vendor compliance with university IT security policy. If these contracts do indeed require your participation and involvement in information security, you could easily see what to require of your vendors whom will be supporting such programs of the university. You asked about specific processes to enforce review and/or approval of IT security policies. The specific reviews required could be based upon a certification and accreditation process prescribed by the university. If you do have a C&A process, insist that vendors go through the same rigor as your internal support systems must endure. Your policy may say " CA-3 INFORMATION SYSTEM CONNECTIONS Control: The organization authorizes all connections from the information system to other information systems outside of the accreditation boundary and monitors/controls the system interconnections on an ongoing basis. Appropriate organizational officials approve information system interconnection agreements. Supplemental Guidance: Since FIPS 199 security categorizations apply to individual information systems, the organization should carefully consider the risks that may be introduced when systems are connected to other information systems with different security requirements and security controls, both within the organization and external to the organization. Risk considerations should also include information systems sharing the same networks. NIST Special Publication 800-47 provides guidance on interconnecting information systems. (NIST 800-53 pg. 55) This is basically indicating that any system that connects to the university information systems (could include hardware, software, etc.) must undergo approvals prior to connection, and must be monitored on an ongoing basis (as should internal controls). Anyway, I obviously find this topic fascinating and would love to talk about any of the many details of this email overview in detail at anytime. I am encouraged that universities are starting to consider information security paramount to the success of their mission. Sincerely, Sarah Stevens Stevens Technologies, Inc. (704) 625-8842 x 500 ________________________________ From: Eric Galyon [mailto:Eric.Galyon () CUSYS EDU] Sent: Tue 9/4/2007 7:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] IT Security in Purchases and Contracts I've attempting to research Higher Education practices in extending University IT security policies to contracts and purchases. I'm interested in speaking with any institution that has either: 1) Created specific processes which enforce specific reviews and/or approvals of IT security aspects prior to purchase authorization. 2) Introduced specific written language into contracts, service arrangement agreements, or RFPs requiring vendors to meet University IT security policy requirements. I'd be interested in knowing about institutions that have tackled either of these issues; contact information would be a plus. I'll gladly summarize my results and post them back to this list for others. Thanks, Eric Galyon Technical Security Specialist Office of Information Security University of Colorado (303) 492-9419 Eric.Galyon () cusys edu
Current thread:
- IT Security in Purchases and Contracts Eric Galyon (Sep 04)
- <Possible follow-ups>
- Re: IT Security in Purchases and Contracts Theresa M Rowe (Sep 04)
- Re: IT Security in Purchases and Contracts Sarah Stevens (Sep 04)
- Re: IT Security in Purchases and Contracts Sarah Stevens (Sep 04)
- Re: IT Security in Purchases and Contracts Eric Galyon (Sep 07)
- Re: IT Security in Purchases and Contracts Friedmann, Esther (Sep 10)