Re: IT Security in Purchases and Contracts

[Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>]

Eric,
 
Your purpose for asking this question may just be for research purposes.  However, I am very interested in this topic 
and have some thoughts that I would like to share.  I would really like to get input from institutions about my 
thoughts below.
 

Eric et al,

 

We utilize the recommendations in the NIST 800 series documents regarding updating contracts and other documents to 
ensure that IT Security is part of the proposal.  One suggestion that I would make is to ensure that any system, 
application, or the like undergoes a Certification and Accreditation (C&A) process prior to purchase/use by the 
University.  Government agencies have begun to institute a C&A requirement for all of their vendors, especially since 
the advent of the confusion regarding the recent VA incidents.  

 

The difficulty in instituting a bona fide C&A requirement process in the academic environment is the lack of a 
certification and accreditation process for academic institutions' information systems that are internally owned and 
operated.  Academic institutions are required to show compliance with FERPA, HIPAA and now, in many cases, even FISMA 
in order to maintain federal and state funding.  A NIST 800-37 certification and accreditation process would allow 
institutions to implement reasonable information security measures that would ultimately enhance the information 
security maturity model of the institution while allowing compliance with high visibility information security 
mandates, such as those mentioned above.

 

So, you may ask, why would we listen to NIST and who would give them the authority to provide standards and guidelines 
that could apply to our educational institution?  First, you should know, the National Institute of Standards and 
Technology has statutory responsibilities under the Federal Information Security Management Act of 2002 to provide 
minimum standards and guidelines to federal agencies attempting to comply with the FISMA of 2002.  Although academic 
institutions have not traditionally (This is changing as you will see in a later note in this message.) been required 
to show compliance with FISMA, the framework provided by NIST is a terrific framework for any institution to start with 
when attempting to mature their information security model.  So, where is an educational institution to start?  How 
should they determine whether to spend money updating their firewall policies or external vendor policies first?  How 
can an agency possibly decide what holes to patch and how to patch those holes without causing the entire dam to cave 
in from lack of stability?  The answer to this question is simple, start at the beginning...a very good place to start. 
 When you read you begin with A, B, C.  When you perform information security, you begin with N-I-S-T 800-30.....ok, so 
maybe it doesn't have a great ring to it in the song, but it is a great place to start.  

 

Perform your risk assessment.  Determine your risks before you begin to remediate your information security problems.  
Once you have started evaluating your risks, you may start to put a plan together to resolve the identified issues.  
Assuming that you are at that point in your information security program now, let's pick up NIST 800-18 and start our 
information system security plan.  As you work through NIST 800-18, and begin to select your controls from NIST 800-53, 
you will undoubtedly be updating your original risk assessment as you begin to consider information security controls 
that you never thought about before.  This is a topic of particular interest to me, and so I could easily go into a 
very long diatribe about the process and go on and on about expectations.  However, I have now wasted two large 
paragraphs of space on a side note that does not necessarily apply to the question that you hope to answer.

 

I think the bottom line is that you have to expect your vendors to adhere to the same information security standards 
and policies that you adhere to as an institution.  In government, we use what we refer to as "Flow Down Clauses."  
This means that if your internal systems have to comply, so does every contractor, subcontractor, etc., etc.  
Government RFPs list each of these requirements as an additional item that must be adhered.  As a matter of fact, as 
grantee institutions, you may not realize that if you are getting federal funding for your program from NSF, VA, and 
many other agencies that provide funding, you may be required to comply with FISMA yourself as a "Flow Down Clause" in 
your funding contract. These contracts may be a very good place to start when determining verbiage for written language 
in contracts, service arrangement agreements, and RFPs that mandate vendor compliance with university IT security 
policy.  If these contracts do indeed require your participation and involvement in information security, you could 
easily see what to require of your vendors whom will be supporting such programs of the university.

 

You asked about specific processes to enforce review and/or approval of IT security policies.  The specific reviews 
required could be based upon a certification and accreditation process prescribed by the university.  If you do have a 
C&A process, insist that vendors go through the same rigor as your internal support systems must endure.  Your policy 
may say " 

CA-3 INFORMATION SYSTEM CONNECTIONS 

Control: The organization authorizes all connections from the information system to other information systems outside 
of the accreditation boundary and monitors/controls the system interconnections on an ongoing basis. Appropriate 
organizational officials approve information system interconnection agreements. 

Supplemental Guidance: Since FIPS 199 security categorizations apply to individual information systems, the 
organization should carefully consider the risks that may be introduced when systems are connected to other information 
systems with different security requirements and security controls, both within the organization and external to the 
organization. Risk considerations should also include information systems sharing the same networks. NIST Special 
Publication 800-47 provides guidance on interconnecting information systems. (NIST 800-53 pg. 55)

This is basically indicating that any system that connects to the university information systems (could include 
hardware, software, etc.) must undergo approvals prior to connection, and must be monitored on an ongoing basis (as 
should internal controls).

Anyway, I obviously find this topic fascinating and would love to talk about any of the many details of this email 
overview in detail at anytime.  I am encouraged that universities are starting to consider information security 
paramount to the success of their mission.

 

Sincerely,

 

Sarah Stevens

Stevens Technologies, Inc.

(704) 625-8842 x 500

________________________________

From: Eric Galyon [mailto:Eric.Galyon () CUSYS EDU]
Sent: Tue 9/4/2007 7:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] IT Security in Purchases and Contracts



I've attempting to research Higher Education practices in extending University IT security policies to contracts and 
purchases.  I'm interested in speaking with any institution that has either:

 

1)  Created specific processes which enforce specific reviews and/or approvals of IT security aspects prior to purchase 
authorization.

 

2)  Introduced specific written language into contracts, service arrangement agreements, or RFPs requiring vendors to 
meet University IT security policy requirements.

 

I'd be interested in knowing about institutions that have tackled either of these issues; contact information would be 
a plus.  I'll gladly summarize my results and post them back to this list for others.

 

Thanks,

 

Eric Galyon

Technical Security Specialist

Office of Information Security

University of Colorado

(303) 492-9419

Eric.Galyon () cusys edu