URP: I.19.m Information Security System and Services Acquisition

Tags techurp

This document establishes the information security system and services acquisition regulations and procedures, for managing risks associated from acquiring security system and services that are incompatible, expose additional risk, unreasonably expensive or not aligned with Texas Woman's University’s (TWU) mission.

System Development Life Cycle (SDLC) is a term used in systems engineering, information systems and software engineering to describe a process for planning, creating, testing, and deploying an information system.
The scope of these regulations and procedures are applicable to all information resources owned or operated by TWU. All users are responsible for adhering to this policy. If needed or appropriate, information regarding roles, responsibilities, management commitment, and coordination among organizational entities are embedded within these procedures.

The State of Texas has chosen to adopt the Access Control principles established in NIST SP 800-53 “System and Service Acquisition,” Control Family guidelines. The following subsections outline the information system and service acquisition standards that constitute TWU’s regulations and procedures.

SA-1 System and Services Acquisition:
 Regulations:
▪ TWU must develop, document, disseminate, review, and update system and services acquisition regulations and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
 Procedures:
▪ The Office of Technology (OOT) will maintain regulations and procedures for services acquisition regulations and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

SA-2 Allocation of Resources:
 Regulations:
▪ TWU must:
• Determine information security requirements for the information system or information system service in mission/business process planning;
• Determine, document, and allocate the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
• Establish a discrete line item for information security in organizational programming and budgeting documentation.
 Procedures:
▪ Beginning in the Summer and continuing into the Fall semesters, The OOT performs an annual review that culminates with the creation of an annual report. The annual review process includes feedback from colleagues across the university, review of best practice, internal metrics, and time to reflect on future trends in technology. The annual review process is also used to: 1) identifying opportunities for continuous improvement; 2) inform the next fiscal year financial plan, and 3) allocates the resources required to protect the information systems. In addition to the annual review process, requests for resources come from tickets submitted to the Service Desk, meetings with department leaders, meetings with faculty, involvement with student committees, and requests on behalf of the Cabinet through the Chief Information Officer (CIO). Depending on the nature of the information system requested, the acquisition is put through the OOT governance process, which includes a step of the Security Team Manager and Information Security Officer (ISO) to review and recommend security resources.
▪ Toward the end of the Fall semester, the OOT management team begin to refine all of the information into actionable goals for the following fiscal year. The goals are evaluated by the CIO and unit Directors for alignment to the University strategic plan, innovation, stewardship, and security. Part of aligning resources is forecasting future resource availability and need. Forecasts are created for all of the OOT budgets. Trends in enrollment, discussion among university leaders, and changes in the field of technology all drive forecasting models.
▪ Goals that have been determined to be priorities in the alignment step are further reviewed. If the goal includes the acquisition of products and/or services, unit managers gather more information from the requestors and vendors when appropriate.
▪ To identify the potential security risks, risk assessments are conducted for all software requests. Risk assessments are categorized by low, medium, and high. Signatures by the ISO, Information Resource Manager (IRM), Data Owners and Chancellor are required for all high risk reviews. In situations where services are requested by third party (vendors) whose product is designed to store TWU data, Application Service Provider (ASP) agreements are requested by TWU for the vendor to complete.
▪ By the end of January of the current fiscal year, CIO and unit Directors consolidate all of the goals and begin to prioritize on the basis of what is required, highest priority, and affordable under the current budget. When new resources are needed, the CIO submits budget justification to the Provost to be presented at the February Board of Regents meeting.

▪ During the month of March, unit Directors make necessary adjustments on the basis of the strategic direction set by the Board of Regents and Cabinet and submit to the CIO for review.
▪ In August, CIO approves the final financial plan and Unit Directors enter the plan into the OOT budget manager system to be used in the upcoming fiscal year.

SA-3 System Development Life Cycle (SDLC):
 Regulations:
▪ TWU must:
• Manage information systems using a system development life cycle (SDLC) that incorporates information security considerations;
• Define and document information security roles and responsibilities throughout the system development life cycle; and
• Identify individual having information security roles and responsibilities.
 Procedures:
▪ Information security systems are managed using a SDLC defined by OOT that incorporates information security considerations and has defined security roles and responsibilities.
▪ OOT Security Team maintains the OOT business continuity manual that identifies individuals with information security roles and responsibilities.

SA-4 Acquisition Process:
 Regulations:
▪ TWU must include the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and University mission/business needs:
• Security functional requirements;
• Security strength requirements;
• Security assurance requirements;
• Security-related documentation requirements;
• Requirements for protecting security-related documentation;
• Description of the information system development environment and environment in which the system is intended to operate; and
• Acceptance criteria.

 Procedures:
▪ OOT includes security requirements and/or security specifications in information system acquisition contracts during the risk assessment process in accordance with applicable laws and standards.
SA-9 External Information System Services:

 Regulations:
▪ TWU must:
• Require that providers of external information system services comply with University information security requirements; and
• Define and document oversight and user roles and responsibilities with regard to external information system services.
• Employ processes, methods, or techniques to monitor security control compliance by external service providers on an ongoing basis.

 Procedures:
▪ General Security
• TWU reserves the right to periodically audit the application infrastructure assigned to TWU by the ASP in order to ensure compliance with the ASP policy and these standards. If required, TWU may request non-intrusive network audits (i.e., basic port scans). The results of comprehensive network and physical audits of the ASP may be requested by TWU. The ASP reserves the right to limit the disclosure of these results to only include infrastructure that pertains to TWU.
• The ASP must provide a proposed architecture document that includes a full network diagram of the TWU application environment, illustrating the relationship between the environment and any other relevant networks. The document must also include a full data flowchart that details where TWU data resides, what data will be collected, data fields required, the applications that manipulate it, and the security methods used to protect the data.
• The ASP must be able to immediately disable all or part of the functionality of the application should a security issue be identified.
• A current SAS 70 certification provided from the vendor is a suitable substitute for this ASP agreement. If the ASP fails to maintain SAS 70 certification, they will be required to complete the ASP agreement for TWU’s re-evaluation.
• The ASP must provide a written statement that upon contract termination, the hosting facility storage device (containing TWU data) will be degaussed, physically destroyed, or deleted using the destruction methods described in DoD 5220.22-M. Upon completing data destruction, the ASP must provide a signed statement to TWU certifying the data was destroyed.
▪ Physical Security
• The equipment hosting the application for TWU must be located in a physically secure facility, which requires logged access at a minimum.
• The ASP must disclose who amongst their personnel will have access to the environment hosting the application for TWU.
• TWU requires that the ASP disclose their ASP background check procedures prior to TWU selecting the ASP.
▪ Network Security
• The network hosting the application must have, at a minimum, a firewall separating the hosted application from the internet and any DMZ networks. The firewall must be configured using the “least privilege” methodology.
• Sensitive information transmitted over the ASP network must be encrypted at all times.
▪ Host Security
• The ASP must disclose, upon request, how and to what extent the hosts comprising the TWU application infrastructure have been hardened against attack. If the ASP has hardening documentation, provide that as well.
• The ASP must provide, upon request, a listing of current patches on hosts, including host OS patches, web servers, databases, and any other material application.
• Information on how and when security patches will be applied must be provided upon request.
• The ASP must disclose, upon request, their processes for monitoring the integrity and availability of those hosts.
• The ASP must provide upon request, information on their password policy for the TWU application infrastructure.
• The ASP must provide a list of possible authentication methods to the TWU application. TWU will not provide internal usernames/passwords for account generation.
• The ASP must provide information on the account generation, maintenance and termination process for both system administration and user accounts.
▪ Web Security
• At TWU discretion, the ASP may be required to disclose the specific configuration files for any web servers and associated support functions (such as search engines or databases) that pertain to the TWU application.
• The ASP must provide, upon request, information pertaining to all programming languages used to develop the TWU application.
• The ASP must provide information regarding any security and/or quality assurance testing performed on the web application.
• The ASP must provide information regarding its code review process and vulnerability remediation process.
▪ Cryptography
• When protecting sensitive information, TWU’s application infrastructure cannot utilize any "homegrown" cryptography – any symmetric, asymmetric, or hashing algorithm utilized by the TWU application infrastructure must utilize algorithms that have been published and evaluated by the general cryptographic community. Encryption methods utilized must be listed on TWU’s Acceptable Encryption regulation and procedure 9.03. Connections to the ASP utilizing the Internet must be protected using any of the following cryptographic technologies: IPSec, SSL, SSH/SCP, PGP.

SA-10 Developer Configuration Management:

 Regulations:
▪ TWU requires developers of information systems to:
• Have configuration management implemented while information systems are operational;
• Document, manage, and control the integrity of changes to information systems;
• Implement only organization-approved changes to the information system;
• When appropriate, document approved changes to the information system, component, or service and the potential security impacts of such changes; and
• Track information security flaws and flaw resolution within the information system and report findings to the appropriate personnel.

 Procedures:
▪ All security-related information resources changes shall be approved by the information owner through a change control process managed by OOT service request system.
▪ System owners track changes using tools appropriate to their assigned information system.
▪ All users must report information security flaws to the Service Desk. The flaw will be tracked using the service request system.

APPLICABILITY TWU Students, Faculty, Staff, and Guest 

Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; termination of access; legal action; termination for interns and volunteers; disciplinary review; suspension or expulsion (in the case of a student).

Department of Information Resources Security Standards Catalog http://publishingext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Security%20Control%20Standards%20Catalog.pdf

Owner:Associate Provost for Technology


Article ID: 56382
Fri 6/22/18 11:02 AM
Mon 3/25/19 11:19 AM