General Data Protection

#Why is this Important
#Reference
#Overview
#Criticality
#Sample RFP Language
#Sample Contract Clauses

Why is this Important:
Similar to data use provisions, an institution of higher education may want to consider data protection provisions that stipulate how (i.e., administrative, technical, and physical information security controls) a contracting third party is going to protect institution data. These types of clauses can help provide some assurance that the contracting party is implementing the controls necessary to protect data at a basic level. This type of provision can help protect the institution in event of a data breach or contractual breach. In many instances, these types of clauses can also provide negotiating strength to the institution in the event the institution wishes to audit the contracting third party during the contract term.

Reference:
Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(b); (b)(1); (b)(7); ( i) ; (u)
Appendix 2 NIST Sp. Pub. 800-53, Rev. 2; Control SA-9 (External Information System Services)

Overview:
Many samples include general statements that the third party had to institute adequate controls necessary to protect the confidentiality, integrity, and availability of the institution's data. In some cases, the third party is required to provide controls no less rigorous than the controls it institutes for its own data.

Criticality: Category 2 and Category 3

Sample RFP Language:

  1. Describe the security features incorporated into the product.
  2. List all products, including imbedded products, in the proposal and their corresponding owning company. Note: This is what could be called "potential security problems by proxy." This question can also be included in a product architecture-related section.
  3. Does the Proposer have an Information Security Plan, supported by security policies and procedures, in place to ensure the protection of information and information resources? If yes, describe the outline of the Plan and how often it is updated. If no, describe what alternative methodology the Proposer uses to ensure the protection of information and information resources.
  4. Describe the monitoring procedures and tools used for monitoring the integrity and availability of the systems interacting with the service proposed, detecting security incidents and ensuring timely remediation.
  5. Describe the physical access controls used to limit access to the Proposer's data center and network components only to [Enter appropriate list here].
  6. List the Proposer's staff members and third-party entities, and corresponding roles, that would have access to the environment hosting all systems that would interact with the service proposed including any systems that would hold, process, or from which Institution data may be accessed
  7. What additional administrative, technical and physical security controls does the Proposer have in place or plan to put in place?
  8. What procedures and best practices does the Proposer follow to harden all systems that would interact with the service proposed including any systems that would hold, process, or from which Institution data may be accessed?
  9. What technical security measures does the Proposer take to detect and prevent unintentional [accidental] and intentional corruption or loss of Institution data?
  10. Does the Proposer have a process for security quality assurance testing of the systems interacting with the service proposed? If yes, describe the activities designed to validate the security architecture and functionality.
  11. Describe any assumptions made in the preparation of your proposal regarding information security outside those already supplied by your company in the proposal.
  12. Proposer may create, receive from or on behalf of Institution, or have access to records or record systems that contain social security numbers (SSN). Describe the security features incorporated into the product to safeguard SSNs. Note: The same question may be used for credit cards and other known sensitive data.
  13. Does the proposed solution use a public-key based digital signature as required under [Enter applicable law/directive here]. If yes, describe how the product meets such requirement. If no, what alternatives does the Proposer use to meet such requirement. Note: This is for security solutions that use a Public Key Infrastructure (PKI)
  14. Does the proposed solution use digital certificates from a PKI Service Provider that appears in the "Approved List of PKI Service Providers" [Enter list link here]. If no, what alternatives does the Proposer use to meet such requirement. Note: This is for security solutions that use a Public Key Infrastructure (PKI)

#Top

Sample Contract Clauses:

  1. [Vendor] shall develop, implement, maintain and use appropriate administrative, technical and physical security measures to preserve the confidentiality, integrity and availability of all electronically maintained or transmitted [term for sensitive data] received from, or on behalf of Institution or its students. These measures will be extended by contract to all subcontractors used by [Vendor].
  2. The [Vendor] agrees that it will protect the Confidential Information it receives according to commercially acceptable standards and no less rigorously than it protects its own Confidential Information. Specifically, the [Vendor] shall implement, maintain, and use appropriate administrative, technical, and physical security measures to preserve the confidentially, integrity, and availability of all electronically managed Confidential Information.
  3. [Vendor] agrees that it will protect the Covered Data according to commercially acceptable standards and no less rigorously than it protects its own confidential information, but in no case less than reasonable care. [Vendor] shall develop, implement, maintain and use appropriate administrative, technical and physical security measures which may include but not be limited to encryption techniques, to preserve the confidentiality, integrity and availability of all such Covered Data.
  4. It is the responsibility of [Vendor] to ensure that all possible measures have been taken to secure the computers or any other storage devices used for Institution data. This includes industry-accepted firewalls, up-to-date anti-virus software, controlled access to the physical location of the hardware itself, etc.
  5. Institution shall reserve the right to change or modify without consent any Institution information resource, including but not limited to operating systems, hardware, and/or network configuration, in order to protect Institution information resources against any security vulnerabilities and unauthorized access or abuse.
  6. SSN Specific: [Vendor] agrees that it may (1) create, (2) receive from or on behalf of Institution, or (3) have access to, records or record systems containing social security numbers (collectively, the "SSN Records"). [Vendor] represents, warrants, and agrees that it will: (1) hold the SSN Records in strict confidence and will not use or disclose the SSN Records except as (a) permitted or required by this Agreement, (b) required by law, or (c) otherwise authorized by institution in writing; (2) safeguard the SSN Records according to commercially reasonable administrative, physical and technical standards that are no less rigorous than the standards by which [Vendor] protects its own confidential information; and (3) continually monitor its operations and take any action necessary to assure that the SSN Records are safeguarded in accordance with the terms of this Agreement. At the request of Institution, [Vendor] agrees to provide Institution with a written summary of the procedures [Vendor] uses to safeguard the SSN Records.
  7. Data Storage. [Vendor] also agrees that any and all Institution data will be stored, processed, and maintained solely on designated target servers and that no Institution data at any time will be processed on or transferred to any portable or laptop computing device or any portable storage medium, unless that storage medium is in use as part of the [Vendor]'s designated backup and recovery processes.

#Top

Core Language

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).

  • No labels