Background
California State University, Northridge is engaging in business where university data are collected, transmitted, or processed under contracted third-party arrangements. In many of these situations, a network-accessible service is developed by a vendor to collect, transmit, or process data on behalf of a CSUN department. The university may also send data collected by the university for further processing or storage by a contracted third-party vendor. The CSUN Information Security Office (ISO) has created this checklist to assist purchasing project sponsor(s) in addressing risk management, contract review, and ongoing vendor management, with the goal of minimizing the risk to university data.
The ISO expects the purchasing project sponsor(s) to have determined whether or not existing university services can be utilized to ensure coherence, consistency, and elimination of redundancy prior to pursuing third-party services.
Determining the Need for a Security Assessment
A security assessment or review is required if any of the following apply to the project:
- The project involves transferring any university data classified as Level 1 or Level 2, or otherwise sensitive, from a university-owned device to a third-party contracted device.
- The project involves contracting with a vendor who will create a network-accessible service on behalf of CSUN to collect, transmit, or process any university data classified as Level 1 or Level 2, or otherwise sensitive.
- The project requires that a contracted third party collect or process any university data classified as Level 1 or Level 2, or otherwise sensitive, that will later be transmitted for use by CSUN.
- The project requires that a third party process payment card information on behalf of CSUN.
The purchasing project sponsor(s) can elect to have an ISO approved third-party conduct the security assessment or can submit a request for assistance to the Information Security Office, iso@csun.edu. The security assessment must consider all applicable provisions of the CSUN Information Security Policies.
Assess Compliance with University Policies
The purchasing project sponsor(s) shall review the CSUN Information Security Policies.
All contracts that involve the storing or movement of CSUN employee or staff data must have the CSU IT supplementals in the contract as is or reviewed by the ISO.
The purchasing project sponsor(s) should note that certain types of data require the university to comply with external mandates. Such mandates include, but are not limited to:
- Federal Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Standards Supporting Documents (PCI)
- Section 508 of the U.S. Rehabilitation Act
- California State University Accessible Technology Initiative Accessibility Requirements
Data management plans must conform to all applicable mandates. If there are any questions regarding policy interpretation or compliance, please contact the Information Security Office at iso@csun.edu.
System Security Assessment
The systems used to process, transmit, or store data must be reviewed prior to formalizing and executing the agreement by the Purchasing & Contract Administration office. References from other clients should be obtained prior to formalizing the agreement. The purchasing project sponsor(s) is responsible for ensuring that a system security assessment is conducted. An approved assessment by an Information Security Officer must be noted on the purchase requisition in order for the Purchasing & Contract Administration office to release a Purchase Order. The Information Security Office is available to assist in performing a security assessment based on priority and availability.
If you have any comments or suggestions, please contact the Information Security Office at iso@csun.edu.
Review of Contract Details
The Information Security Office can assist in the review of contract details upon request and based on priority and availability. The Purchasing & Contract Administration office will require an approved assessment, as well as an approved Electronic & Information Technology (E&IT) form, and may require specific language in a contract . In general, the following items must be assessed: