The purpose of this policy is to secure and protect WPI sensitive information and applications that will be either provided to or managed by non-WPI business units. These include application service providers, hosting companies, backup facilities, and external data portals. These risks include but are not limited to:
- Unauthorized access
- Unauthorized transfer of information to third parties
- Corruption or loss of data
To establish expectations around data release and maintain a consistent security posture between WPI's internal security and all external party's systems.
Any external solution providers (henceforth called 'vendors') that are either being considered for use by WPI, or have already been selected for which:
- University data will be transmitted to the vendor for storage and/or processing
- Data collected, transmitted, processed or stored by the vendor meets WPI's definition of sensitive data
- Credit card or payment card processing will be used by the vendor as a revenue collection agent for the university
- WPI IT reserves the right to periodically audit, or to request an audit, of WPI applications to ensure compliance with its policies and these Standards. Non-intrusive network audits of non-confidential and non-proprietary information may be done randomly, without prior notice, but with immediate post-audit notice when problems are discovered. More intrusive network and physical audits may be conducted with advance written notice. Such audits shall occur not more than twice annually and shall only be conducted during mutually agreeable hours. Another option is for the vendor to commit to engage in an annual security audit, sharing the results of the audit with WPI. The 3rd party may alternatively submit statement of compliance with Payment Card Industry standards, which include an audit step.
WPI will request that vulnerabilities identified in the audit be fixed or mitigated within 90 days of the audit report.
- The vendor must provide a proposed architecture document that includes a full network diagram of the application environment around WPI services, illustrating the relationship between the environment and any other relevant networks, with a full data flowchart that details where WPI's data reside, the applications that manipulate data, and the security thereof.
- The vendor must be able to immediately disable all or part of the functionality of the application should a security issue be identified.
- The vendor agrees to comply with all state and federal privacy and security legislation within 60 days of enactment.
- The vendor must present evidence of network security, cyber liability and errors and omissions insurance. Typical limits are $5 million per occurrence and $5 million in the aggregate.
- If credit cards or other bank payment methods are used in this service, the vendor must provide a certificate of compliance for the Cardholder Information Security Program prior to engagement, and must provide an updated certificate of compliance to WPI annually thereafter for the duration of the agreement
- Network hosting of the application must be air-gapped from any other network or customer that the vendor may have, unless prior approval is given by WPI.
- If WPI will be connecting to the vendor via a private circuit (such as frame relay, VPN tunnel, etc.), then that circuit must terminate on the WPI border, and the operation of that circuit will come under the procedures and policies that govern the WPI network.
- If the data between WPI and the vendor will be transferred over a public network such as the Internet, appropriate firewall technology must be deployed by the vendor, and the traffic between WPI and the vendor must be protected and authenticated by cryptographic technology.
- The vendor must disclose how and to what extent the hosts (UNIX, Windows, etc.) comprising the application infrastructure have been hardened against attack. If the vendor has hardening documentation for the infrastructure, it should be provided to WPI for review.
- The vendor must provide a listing of all software in use, including operating system, web server, database management system, and the current release number for each software component.
- Information on how and when security patches will be applied must be provided. An update schedule should be provided if available.
- The vendor must disclose their processes for monitoring the integrity and availability of those hosts.
- The vendor must provide information on their password policy for the application infrastructure, including minimum password length, password generation guidelines, and how often passwords are changed.
- WPI cannot provide internal usernames/passwords for account generation or single sign-on to third parties. WPI will work with the company to provide access to a non-disclosing solution.
- The vendor must provide information on the account generation, maintenance and termination process, for both systems maintenance as well as user accounts.
- At WPI's discretion, the vendor may be required to disclose the specific configuration files for any web servers and associated support functions (such as search engines or databases).
- The vendor will disclose what languages and technologies are used in the front-end (user interface) and Back-end (service interfaces) as well as management functions.
- The vendor will provide the process for doing security Quality Assurance testing for the application. For example, describe testing of authentication, authorization, and accounting functions, as well as any other activity designed to validate the security architecture.
- The vendor will provide the application development security standards employed for development, such as adherence to the Open Web Application Security Project (www.owasp.org). Describe development standards related to security, including any external body of standards enforced in development.
- The vendor will provide results of any web code review, including CGI, Java, etc, for the explicit purposes of finding and mitigating security vulnerabilities. If such an audit has taken place, identify who did the review, what were the results, and what remediation activity has taken place? If no such review has taken place, the vendor will provide a review schedule and provide results from that review as described.
- Web sites are implemented utilizing Secure Socket Layer (SSL) with a certificate from an independent authority.
- The vendor's application infrastructure cannot utilize any "homegrown" cryptography - any symmetric, asymmetric or hashing algorithm utilized by the application infrastructure must utilize algorithms that have been published and evaluated by the general cryptographic community.
- Encryption algorithms must be of a strength set by WPI IT Security staff.
- Connections between the WPI and the vendor utilizing the Internet must be protected using any of the following cryptographic technologies: IPSec, SSL, SSH/SCP, PGP.
Disaster Recovery and Business Continuity
- The vendor will provide a backup schedule which include a backup of the server so that no more than 24 hours of data may be lost in case of server failure.
- The vendor guarantees that a disaster recovery plan exists, including off-site storage of data in a secure location. WPI must approve the off-site storage of the data, and the University retains the right to reject the location for security reasons and to recommend another location.
- The vendor will produce hours of operations, customer support hours of operation, and time zone.
- Data access will be limited to those with a "need to know" and controlled by specific individual. The vendor will have procedures and solutions implemented to prevent unauthorized access, and the procedures will be documented and submitted for WPI approval.
- Those allowed to send data and receive data to and from the vendor must be identified, as defined within this process.
- The procedure for notification in the event of accidental data exposure must be identified. Accidental exposures of data to unauthorized persons will result in the vendor notifying WPI within 4 hours of discovery, and no notification to those whose data have been exposed will occur without prior discussion with WPI.
- Standard non-disclosure language must be included, with protection to keep information and data private and confidential, and to treat information and data confidentially except as specifically provided for in the contract. Data cannot be shared or sold with or to third parties.
- Standards for data quality are established by WPI and enforced by the vendor. The vendor must meet WPI's standards for the quality and integrity of the data. WPI retains the right to approve the quality of data displayed on web sites (or the data will be removed). Processes that gather, edit, modify, calculate or otherwise manipulate data must meet WPI standards for data quality. WPI must approve the sources of data and the data maintenance method.
- If sensitive data are involved in this process, WPI IT Security's approval is required.
- WPI standard form for Mutual Non-Disclosure of information must be signed.
In order to facilitate a timely evaluation and approval process, departments should follow the following order of operations:
- Departments should evaluate their requirements and use these requirements to choose a potential vendor.
- Departments should then approach IT with their vendor choice. IT will review the technical aspects of the decision looking for overall architecture structure, incompatibilities with existing systems, security and privacy issues and disaster recovery requirements.
Any residual risk will need to be reviewed and accepted either by the IT Governance Committee, or the Risk Management office.
- Data will be retained only for the period of this agreement and only for retention period approved by WPI, and will be returned to WPI or destroyed using a standard approved by WPI upon termination of this agreement.
- WPI retains the right to terminate the contract with 30 days notice for any reason related to the security items listed in the contract.
- WPI aggressively protects copyrighted material, and all WPI logos, emblems, images, and gif files must be used only with WPI approval, and must be destroyed at the end of the agreement.
Approved December 11, 2007: Approved by the CIO/VP of Information Technology and the AVP for Information Security and Networking.
Revised March 16, 2009: Revised based on recommendations made by the Committee on Information Technology Policy. Pending faculty endorsement and Governance Committee approval.