Page History

...

Table of Contents:

Anchor
Top Top

...

• Purpose

...

• Disclaimer

...

• References

...

• Background

...

• Criticality

...

• How to Use This Toolkit

...

• The Three Steps
• A Word About Requests For Proposals (RFP)

...

• Decision Tree
• A Word About Third-Party Risk Assessments

...

• A Word About Contract Monitoring

...

• Themes
• Appendix 1
• Appendix 2

Purpose:

To provide sample proposal and contract language for common themes related to data protection as well as practical guidance as to when and how to consider the themes when drafting or reviewing a request for information (RFI), request for proposal (RFP) or contract.
#TopTop

...

For the foregoing reasons, it is essential that any intended use of the sample requirements and contractual clauses be reviewed by appropriate institutional legal counsel in the full context of the proposal requirements and contractual arrangement prior to communication to the other contracting party and during negotiation of terms. Ultimately, the greatest concern should be that the final negotiated result accurately reflects the intention of the parties and the reality of the situation.
#TopTop

...

• Documents provided by committee members
• ICPL EDUCAUSE Policy Discussion Group list references provided by committee members
• SANS (policies references)
• ISO/IEC 27002:2005 Code of Practice for Information Security Management (pertinent language included, Appendix 1)
• NIST Sp. Pub. 800-53, Rev. 2; section 2.4 (Security Controls in External Environments) (pertinent language included, Appendix 2).
  • See control AC-20 (Use of External Information Systems) for additional guidance.
• http://counsel.cua.edu/ferpa/ (Catholic University of America , FERPA page, (see Data Security Addendum)
• Solutions Training Group: "Writing, Evaluating, and Managing Airtight RFPs" Bruce E. Truitt, Instructor.
• SupplierSelect News "Writing Good RFP Questions" 2008
• The University of Texas System Office of General Counsel "Security and Privacy Requirements for Information Resources / Services Contract"
• The University of Texas Health Science Center at San Antonio: Third-Party Management of Information Resources Policy
• The University of Texas Health Science Center at San Antonio: Third-Party Risk Assessment Security Standard
• The University of Texas at Austin: Security Checklist for Hosted IT Services
• Northwestern University Contract language for the secure handling of sensitive data http://www.it.northwestern.edu/policies/contractlanguage.html
• Oakland University Mutual Non-Disclosure Agreement http://www2.oakland.edu/uts/files/MutualNonDisclosureAgreement.doc
•  
• Princeton University Information Security Policy, Confidential Information AddendumPrinceton University Information Security Policy, Confidential Information Addendum http://www.princeton.edu/~protect/PoliciesAndGuidelines/InfoSecPolicy05-21-2004.pdf
• Purdue University Purdue University Information Security Program, Addendum to Service Provider Agreement http://www.itap.purdue.edu/security/policies/GLBPurdue1.docto Service Provider Agreement
• University of California Additional Terms and Conditions - Data Security http://www.ucop.edu/irc/itsec/uc/documents/datasecurityappen.pdfAppendix
• University of Southern CaliforniaUniversity of Southern California  Information Security Policy, Confidentiality Agreement http://policies.usc.edu/policies/infosecurity040704.pdf
• Info-Tech Research Group "retool Requirements Gathering to Ensure Compliance" February 7, 2007

NOTE: Sample RFP requirement questions and contractual clauses have been sanitized and identifying information related to a particular institution of higher education has been removed. In addition, while all of the references provided by working group members were reviewed, the working group stopped adding sample questions and clauses to this document once we accumulated several samples for each theme (unless one of the references included a unique wording or clause that was not already addressed). Institutions of higher education are encouraged to add their own sanitized sample questions and clauses as a way to make this document "living" following the uniqueness principle.
#TopTop

...

The challenge facing individuals responsible for drafting and reviewing RFPs and contracts for the purchase of information technology products and services - often individuals with job functions other than legal counsel - is, considering the nuances and particularities of each contract, knowing what clauses to include or look for in a contract and what clauses could be unnecessary or overburdening.
#TopTop

...

Category 4: Recommended to address common situational requirements

#TopTop

How To Use This Toolkit:

#The The Three Steps

As a practical approach to address the aforementioned challenge, this document divides the procurement of information technology products and services into three steps and organizes proposal and contractual language security themes around a decision tree consisting of four questions that an individual drafting or reviewing an RFP or contract should ask her/himself.

The basic idea is to consider each step and each question at a time in sequence and to select only those steps and themes that apply to the product or service being purchased and the data being protected. Nevertheless, as these processes are not necessarily linear, the individual may find a different approach worthwhile.
#TopTop

...

Assuming that we already know "what" we are procuring and that we are now concerned with the "from whom" we procure it, the procurement process for information technology products and services can be divided into the following three general steps:1.

1. Vendor Selection

...

1. Contract Negotiation

...

1. Contract Monitoring

#TopTop

A Word About Requests For Proposals (RFP):

#Decision Decision Tree

An RFP is an invitation for vendors to submit a proposal on a specific product or service. RFPs are usually designed to get vendors to provide a creative solution to a business problem or requirement, bring structure to the procurement decision, and allow the risks and benefits of a solution to be identified clearly upfront. The creativity and level of detail that vendors choose to include in their proposals should be used to evaluate the quality of the vendors' proposals, their understanding of your business and requirements, and as a means of comparison against each other.

...

The Sample RFP Language provided in the themes below are intended to be just that - examples and a memory-jogger to assist in identifying specific items that may need to covered but are not.

#TopTop

...

1. What should be the Core Language that I should always have in an RFP or contract?
2. Are the process and/or data covered in my RFP or contract impacted by a federal, state, or local law, regulation, or contractual obligation?
3. Are there other common security items that apply to the process, product, service, or data covered in my RFP or contract?

Are there special conditions that I should consider? Am I missing something?

...

Top

A Word About Third-Party Risk Assessments:

#A A Word About Contract Monitoring

...

• Assess the risk of engaging the finalist, or top - two , third-party vendors. ; This can be done by requiring finalist vendors to complete a third-party information security assessment survey (see Resources below)like the Higher Education Cloud Vendor Assessment Tool developed by the HEISC Shared Assessments Working Group. 
• Review the answers and identify "weak" points. Do the vendors provide additional documentation? Do responses pass the "smell test"?
• Schedule a conference call with vendor contact person to go over the assessment results and the institution's requirements
• Call vendor references to validate the assessment results and learn if there is evidence of non-performance at other clients sites
• Identify areas needing mitigation and required cure and include them as language in final agreement and/or statement of work.

Resources:

• Higher Education Cloud Vendor Assessment Tool developed by the HEISC Shared Assessments Working Group
• Third-Party Information Security Assessment Survey developed by The University of Texas Health Science Center at San Antonio.
• Shared Assessments provides tools to evaluate third party vendor software and services.

#TopTop

A Word About Contract Monitoring

#ThemesThemes

Monitoring can mean different things to different people. For the purpose of this document, monitor means to assess, to watch, to keep track of, or to check, usually, with a special purpose. It does not mean or imply to verify or even to test. Actually, monitoring is more of a spectrum that ranges from just "keeping an eye" in the low end to requiring a site audit in the high end. Given the availability of resources at institutions of higher education, verification could be an impractical and significantly costly requirement if applied to all or most third-party contracts.

...

It is important to keep in mind that contract monitoring is the last step of a cascading progression. The initial identification of process and data impacted as well as initial security requirements are used to formulate questions for the RFP. The answers to the RFP are used to evaluate vendors and refine the security requirements. The evaluation and risk assessment of finalists refine the security requirements that will, in turn, be added as language to the contract or statement of work. And, finally, it is the final contract and corresponding risk level that determine the appropriate contract monitoring approach.

#TopTop

Themes

Sample contract clauses are available for each of the following themes:

• Assistance With Litigation
• Credit Card Data
• Data Definition
• Data Protection After Contract Termination
• Data Sharing
• Data Transmission (including Encryption)
• Financial Information
• General Data Protection
• Indemnification as a Result of Security Breach
• Intellectual Property Protection
• Notification of Security Incidents
• Protected Health Information (HIPAA)
• References to Third Party Compliance With Applicable Federal, State, and Local Laws and Regulatory Requirements
• References to Third Party Compliance With University Policies, Standards, Guidelines, And Procedures
• Security Audits and Scans (Independent Verification)
• Security Incident Investigations
• Separate Document Addressing Data Protection
• State Breach Notification Laws
• Student Education Records (FERPA)
• Use of Data

#TopTop

Appendix 1
Appendix 2

...

Questions or comments? Contact us.

...