Educause Security Discussion mailing list archives
Re: Systems Acquisition and Development standard
From: "Lorenz, Eva" <evalorenz () UNC EDU>
Date: Fri, 29 Jan 2010 13:14:58 -0500
We use a set of standards that are based on the degree of data security required. See http://its.unc.edu/InfoSecurity/proposed-policies/index.htm under Information Security Standards Policy, the right hand column lists the standards in table format. For an analysis of the risk, hosted situations are the most tricky, especially if multiple parties on the vendor side are involved. I try to encourage users to identify whether the party signing the contract is actually doing the controls or if they contract with someone else. We try to straighten out who is responsible for which control to avoid fingerpointing later on, in case something goes wrong and each party thought it was someone else's responsibility to scan for OS vulnerabilities versus applications vulnerabilities. I like Patty's questionnaire a lot. Patty, this is a great list of questions and I like the open-ended format of the NO and NA options. My only concern would be about a time involvement to analyze the "further information" response. In your experience, does the further information piece take significant time to analyze or do you see common answers, such as subcontract with party XX? Thanks - Eva Eva Lorenz Ph.D., J.D., ITv3F ITS Security 2800 ITS Manning 211 Manning Dr CB3420 Chapel Hill NC 27599 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Patria, Patricia Sent: Friday, January 29, 2010 12:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Systems Acquisition and Development standard Hi Ben, For hosted applications that store sensitive data, we use the attached Third Party Assurance Questionnaire. For applications that reside at Bentley, we require a Functional Analysis document to be completed (http://www.bentley.edu/administrative-systems/policies-and-procedures.cfm), which is reviewed by many different members of IT. Hope that helps. Patty Patty Patria Chief Information Security Administrator | Bentley University 175 Forest Street, Waltham, MA 02452 |781.891.2364 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben Woelk Sent: Friday, January 29, 2010 10:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Systems Acquisition and Development standard We are drafting a systems acquisition and development standard with the goal of ensuring that information security is considered and that proposed purchases/development are reviewed by our office. I've found some good resources online. Does anyone have a standard/policy/requirements document they can share? Thanks, Ben Woelk Information Security Communications and Training Specialist Rochester Institute of Technology 151 Lomb Memorial DR Ross 10-A204 Rochester, NY 14623 585-475-4122
Current thread:
- Systems Acquisition and Development standard Ben Woelk (Jan 29)
- <Possible follow-ups>
- Re: Systems Acquisition and Development standard Patria, Patricia (Jan 29)
- Re: Systems Acquisition and Development standard James C. Farr '05 (Jan 29)
- Re: Systems Acquisition and Development standard Lorenz, Eva (Jan 29)
- Re: Systems Acquisition and Development standard Patria, Patricia (Jan 29)
- Re: Systems Acquisition and Development standard David Escalante (Jan 29)
- Re: Systems Acquisition and Development standard Ozzie Paez (Jan 29)