Information Security's Role in the Procurement Process

Tags infosec

Be sure to include the Office of Information Security in the sourcing phase of any effort to acquire information technology services, hardware, or software.  Involving Information Security should occur for free services as well as those for which payment is made.

How do I include Information Security in the process?

Submit a short form to Request an Assessment from Information Security.

Acquiring an information technology resource will entail agreeing to contractual terms and conditions.  The contract could be as simple as an online 'click-through' agreement where you say "I agree", or as detailed as a lengthy contract resulting from months of negotiations between Dartmouth and the vendor.  In every scenario, Information Security should be contacted well before you accept any terms or agreement that binds Dartmouth.

Why should I include Information Security in the process?

Dartmouth's experts can evaluate security risks related to a vendor, a service to be provided, and any hardware or software being acquired.  Areas of review commonly include:

  • information technology resource being acquired
  • Dartmouth systems impacted by the resource
  • sensitivity of data involved
  • vendor security
  • hardware or software security
  • the vendor's response to potential data breaches
  • the vendor's Service Level Agreement

What types of information may I be asked to provide for the security review?

  • A description of the Dartmouth data that will be accessed by, provided to, transmitted, processed, or stored in the IT resource being procured.  Examples of Dartmouth data include student/faculty/staff contact information, financial transactions, video recordings, research data, emails, and class work.
  • DISC level of the data you described above.  Data Security Level definitions are below.  For more information please see the Dartmouth Information Security Policy.
    • Level 0 - Data meant for public disclosure is defined as Level 0.
    • Level 1 - Data with no confidentiality classification, but not intended for public disclosure, is considered Level 1 data. This is general business data for use within Dartmouth, and protected at a baseline level of control (available to the Dartmouth community via authenticated IT access, or authorized physical access to Dartmouth facilities).
    • Level 2 - Data classified as level 2 are data which can only be shared with individuals deemed to have a 'need to know' as defined by the data owner.
    • Level 3 - Data classified as level 3 are data classified as strictly confidential, requiring the highest level of sensitivity. This includes FERPA data, personally identifiable information (PII), personal health information (PHI), credit card information (PCI), among others.
  • When the DISC level is Level 2 or Level 3 then additional application security and data protection information will be requested including one or more of the following.
    • Vendor Security Self-Assessment (VSSA) - This workbook contains Dartmouth's control objectives which are based on Dartmouth's implementation of the ISO standard 27002.  A copy of the VSSA workbook is available as an attachment to the Dartmouth Information Security Policy.
    • System and Organization Controls (SOC) Reporting - designed to build trust and confidence in a vendor's services through a report by an independent Certified Public Accountant (CPA)
      • SOC 2 Type 2 - restricted use reports, often require a signed Non-Disclosure Agreement (NDA) for release
      • SOC 3 - general use reports that can be distributed freely, should not require a signed NDA for release
    • ISO 27001 - a vendor can be certified against the ISO 27001 standard and therein show its customers that it safeguards their data
    • Vendor Data Processing Agreement (DPA) - GDPR compliance requires a data controller to sign a data processing agreement with any party that acts as data processor on its behalf.  A data processing agreement is a contract that states the rights and obligations of each party concerning the protection of personal data.
    • Other Data Security Documentation - examples include vendor security White Papers, and product information data sheets
  • A copy of the vendor's Service Level Agreement (SLA).
  • A copy of the applicable Statement of Work or Scope of Work (SOW).


Article ID: 132120
Tue 5/4/21 4:03 PM
Fri 5/21/21 2:01 PM