BYU-Hawaii Information Security Requirements for Vendors

Introduction  

Brigham Young University (“BYU-Hawaii”) contracts vendors to provide the services BYU-Hawaii needs to better accomplish its mission (“Vendors”). Where a Vendor must access BYU-Hawaii-owned data to perform services for BYU-Hawaii, the Vendor is responsible to implement the information security requirements described below. These requirements are incorporated into the terms and conditions of any applicable agreement for the Vendor to provide services to BYU-Hawaii (“Service Agreement”). Also, these requirements do not replace or supersede any requirements otherwise agreed to by BYU-Hawaii and a Vendor. 

Definitions

“BYU-Hawaii Data” includes all data (in any format) that, as a result of the Services, BYU-Hawaii allows Vendor to access, possess, view, or otherwise Process.

“Processing” (or to “Process”) means the collection, access, use, disclosure, transmission, transfer, retention, storage, destruction, conversion, incorporation, anonymization, or transformation in any manner of BYU-Hawaii Data.

“Services” means authorized services performed by Vendor pursuant to the Service Agreement.

“Third-Party Hosting Services” means those parts of the Services provided, on Vendor’s behalf, by someone or some entity other than Vendor.

“Vendor’s Agents” means any and all agents, representatives, employees, and contractors of Vendor, including providers of Third-Party Hosting Services.

Requirements  

SECURITY QUESTIONNAIRE

Prior to contracting to provide Services, the Vendor must complete the CES Security Operations Center’s Security Questionnaire (“Questionnaire”) with information related to the Vendor’s key security practices and capabilities, as well as those of Third-Party Hosting Services, to determine if they are sufficient to protect BYU-Hawaii Data. Upon BYU-Hawaii’s request, the Vendor must provide to BYU-Hawaii updated responses to the Questionnaire so that BYU-Hawaii may assess any changes to the Vendor’s key security practices and capabilities.

INFORMATION SECURITY MANAGEMENT 

The Vendor must maintain an information security program, including key roles and responsibilities, such as information security leadership, budget, operations, policy, incident response, and training and awareness. The Vendor must assess enterprise information security risks at least annually, including tracking reasonable progress with remediation plans. 

LEGALLY REQUIRED DATA GOVERNANCE STANDARDS

The Vendor must take reasonable measures to ensure that all legally or industry required governance standards applicable to BYU-Hawaii Data and the Services are met (e.g., Federal Acquisition Regulations requirements, Payment Card Industry requirements, etc.).

HUMAN RESOURCE SECURITY 

The Vendor must maintain a current list of all Vendor’s Agents with access to BYU-Hawaii Data and promptly provide a copy of the list to BYU-Hawaii upon request. The Vendor must perform pre‐hiring background screening for all of the Vendor’s Agents with access to BYU-Hawaii Data. The Vendor must also train Vendor’s Agents to comply with these requirements, as well as any applicable requirements in the Service Agreement, and obtain from each of Vendor’s Agents a signed agreement with covenants of confidentiality at least as restrictive as those contained in the Service Agreement.

ACQUISITION AND VENDOR MANAGEMENT 

The Vendor must ensure that only reputable products and, if permitted, downstream vendors are used in Services. Where the Service Agreement permits use of downstream vendors, these requirements must be contractually required for downstream vendors. 

INVENTORY AND ASSET MANAGEMENT 

The Vendor must maintain an accurate inventory of hardware and software products used for the Services and promptly provide a copy to BYU-Hawaii upon request. 

SECURE CONFIGURATIONS AND PATCHING

Infrastructure and platform systems, such as (physical and virtual) servers, databases, storage systems, and network devices used for the Services must use vendor-supported software with the latest security patches, and configured according to industry best practice guidelines.  

DATA LOCATION

The Vendor must (i) store all BYU-Hawaii Data in the continental United States, except where provides specific written consent; (ii) provide to BYU-Hawaii, upon request, the physical location of each and every server that may Process or store BYU-Hawaii Data, all Third-Party Hosting Services used by Vendor in connection with the Services, and the identity of and business relationship will all Vendor’s Agents used to fulfill the Services (including providers of Third-Party Hosting Services); and (iii) provide at least seven days’ written notice to BYU-Hawaii before any server physical location changes.

DATA RETURN AND PURGE

BYU-Hawaii retains ownership of BYU-Hawaii Data. Upon termination of the Service Agreement, Vendor must immediately return all BYU-Hawaii Data in its possession to BYU-Hawaii and purge it from its systems upon termination of agreement.

SEARCH, RETENTION, AND DESTRUCTION OF DATA

Vendor must develop and enable data search, retention, and destruction capabilities to allow BYU-Hawaii to implement its data retention programs, efficiently achieve litigation holds, and locate, collect and preserve data, including metadata. Vendor must create and deploy processes and controls that allow for the effective and efficient authentication of BYU-Hawaii Data. Immediately upon notice by BYU-Hawaii of a litigation hold relative to BYU-Hawaii Data, Vendor must maintain and preserve the integrity of BYU-Hawaii’s Data, suspend the deletion of all BYU-Hawaii’s Data subject to the litigation hold, and ensure ready access to BYU-Hawaii Data by BYU-Hawaii or its legal representatives. 

SUBPOENAS

Vendor must notify BYU-Hawaii within 24 hours of the service of any subpoena or other legal process seeking BYU-Hawaii Data, and will assist and cooperate with BYU-Hawaii in responding to such legal process. In addition, Vendor must make reasonable efforts not to release BYU-Hawaii Data pending the outcome of such legal process.

NETWORK AND BOUNDARY PROTECTION 

The Vendor must maintain reasonable inbound and outbound security restrictions for application and network communications associated with BYU-Hawaii Data and related services. Where possible, BYU-Hawaii Data must be maintained on non‐shared servers, instances, and databases.

VULNERABILITY DETECTION AND REMEDIATION 

Frequent vulnerability detection and remediation must be performed for all compute environments where BYU-Hawaii Data is located and for any Vendor management systems and services that could impact the security of BYU-Hawaii Data. 

APPLICATION SECURITY 

Where custom applications are developed by the Vendor for BYU-Hawaii, those applications must be developed using coding techniques that minimize common vulnerabilities, such as those described by the Open Web Application Security Project (OWASP).

SERVICE AVAILABILITY

The Vendor must maintain information, application, and service resilience adequate to meet agreed upon service level agreements, including the implementation of disaster recovery and avoidance procedures, and daily data backups of data.

ACCESS CONTROL 

The Vendor must restrict access by Vendor’s Agents to BYU-Hawaii Data to only that needed to adequately perform the Services. BYU-Hawaii Data must be isolated from other customers and external entities, except for Third-Party Host Providers. Vendor must use strong encryption for BYU-Hawaii Data at rest and in transit. Administrative access to system and application functions associated with BYU-Hawaii Data must require multi‐factor authentication. Vendor must conduct regular security assessments of Vendor’s Agents with access to BYU-Hawaii Data, information systems or facilities, and restrict Vendor’s Agents from subcontracting duties with respect to the Services without prior approval by Vendor and BYU-Hawaii. Upon BYU-Hawaii’s request, Vendor must promptly suspend or terminate access by Vendor’s Agents to ensure the security of BYU-Hawaii Data, information systems and facilities.

SECURITY MONITORING 

The Vendor must log and monitor critical application, system, and account security events.  Where possible, the Vendor must enable API access for security‐event logs to be accessed by BYU-Hawaii log‐collection processes. 

PHYSICAL SECURITY 

The Vendor must implement reasonable perimeter and facility physical security controls. 

THIRD-PARTY SERVICE PROVIDERS

The Vendor must contractually require that all Third-Party Services Providers storing or Processing BYU-Hawaii Data maintain information security standards and practices at least as restrictive as those listed here and in the Service Agreement.

Details

Article ID: 130755
Created
Wed 6/9/21 8:43 AM
Modified
Wed 6/9/21 8:43 AM