Security Checklist for Hosted IT Services

1.1  Data access shall be limited to those with a "need to know" and controlled by specific individual(s). The vendor must have procedures and solutions implemented to prevent unauthorized access, and the procedures will be documented and available for CSUN to review upon request. All of the vendor's employees with access to university data must be identified and names provided to the university upon request.

1.2  Unauthorized exposures of university data shall result in the vendor notifying CSUN immediately for Level 1 data and within twenty four hours for Level 2 and other CSUN data. No notification to individual CSUN constiuents shall be made to those affected by the unauthorized exposure of the university's data until the vendor has consulted with CSUN officials.

1.3  Physical access to facilities where data are stored must be limited and controlled. Any damage or unauthorized access to facilities must be reported to the university within 24 hours of its discovery. If any unauthorized access to university data occurred, the vendor must consult with CSUN officials before notifying those affected by the unauthorized access to this data.

1.4  Standard non-disclosure language must be included, with protection to keep information private and confidential, except as specifically provided for in the contract. Data shall not be shared with or sold to third parties.

2.1  All the vendor's systems handling university data must comply with the CSUN standards for Level 1 and Level 2 data.

2.2  All systems and applications shall regularly undergo vulnerability assessments, such as testing patch level, password security, and application security.

2.3  Routine event monitoring will be performed by the vendor; the university expects that the vendor will routinely and immediately identify events related to unauthorized activity and unauthorized access.

2.4  The vendor should undergo regular security audits, preferably by certified third parties, occurring at least annually, and any identified issues must be resolved or mitigated within 90 days of the audit report. The university may demand written proof of this audit at any time during the duration of the contract.

2.5  All services that gather Level 1 and Level 2 or otherwise sensitive information must utilize secure communications methods, such as SSl, and use a certificate from an approved independent authority, for example, Comodo, if certificates are required.

2.6  All file transmissions involving Level 1 or Level 2 or otherwise sensitive data must utilize secure communication methods; for example, SSL, SCP, SSH, SFTP.

2.7  Any Level 1 and Level 2 data must be stored on servers physically in the United States.

2.8 Authentication for cloud vendors should support CAS or Shibboleth. 

3.1  The purchasing project sponsor(s) shall detail the specific backup requirements for systems, files, and data. The vendor must agree to the required time periods and processes. For example, if a department determines that no more than the previous 24 hours of data may be lost, the vendor must be able to comply with that requirement.

3.2  The vendor must have a documented disaster recovery plan.

3.3  The vendor must have a secure secondary off-site storage location for university data. The university must approve the location of the off-site storage, and the university retains the rights to reject the location for security or availability reasons and to recommend another location.

3.4  The purchasing project sponsor(s) shall detail the specific system uptime requirements for the service and the vendor will agree to the availability requirements. An example of availability requirements might be expressed as, "Guaranteed to 99.9 percent each year or no more than 8 hours and 45 minutes of downtime every year."

4.1  The vendor must be able to maintain the integrity and accuracy of the data it manages for the university. No data exchanges will occur until the university has agreed that the data meets any specified university requirements for accuracy and integrity. The university retains the right to approve or reject the data displayed on Web sites; the display of data not meeting university standards will not be allowed.

4.2  Processes that gather, edit, modify, or otherwise manipulate data must meet university standards for data quality.

5.1  The maintenance and retention of all data must comply with the university data retention schedule.

5.2  The Information Security Office must explicitly authorize the disclosure of Social Security numbers to any vendor.

5.3  Social Security numbers shall be encrypted when stored and transmitted, and masked on displays and reports.

5.4  If credit cards are processed via a network-based service, the vendor must supply a copy of their PCI certificate where cardholder data is transacted, used or stored.  Credit card numbers shall not be stored unless the university has approved a retention period for storage in advance

5.5  Credit card numbers will be encrypted when stored and transmitted, and masked on displays and reports.

5.6  If financial records are processed, the vendor must supply documentation of compliance to GLBA prior to the contract being accepted by the university, and annually thereafter.

5.7  All payment processing must comply with university cash management policy.

5.8  If medical record or medical insurance data is included, the data must be encrypted, and the vendor must supply documentation of compliance to HIPAA prior to the contract being accepted by the university, and annually thereafter.

5.9  If student record data is included, the vendor must supply documentation of compliance to FERPA prior to the contract being accepted by the university, and annually thereafter.

5.10  The vendor must supply documentation of compliance with all other legislation as dictated by applicable laws and university policies.

5.11  All data will be retained for periods approved by the university and will be destroyed or returned to the university upon termination of the contract. The method of data destruction must be approved by the university and must be compliant with CSUN policies.

5.12  Vendor agrees to comply with all state of California and federal legislation within 60 days of enactment.

6.1  The university retains the right to terminate the contract with 30 days' notice for any reason related to the security items listed in the contract.

6.2  The university aggressively protects copyrighted material, and all university trademarks, logos, emblems, images, and graphics files must be used only with university approval, and must be destroyed at the end of the contract.

7.1  The vendor will present evidence of $1 million or more in liability insurance, and preferably cyber risk insurance. (FYI, insurance is required for services regardless of risk. Hosting is a service so insurance WILL be required ($1M/$2M).)

7.2  Review applicability of contractual cyber insurance requirements.