Information Security Checklist for Externally Hosted Services

The following checklist should be used as a starting point to review information security related to the systems and services owned by the unit, department, or college but hosted by a third party on an external network.  These topic areas are supported by the Standards and Guidelines associated with University Policy 311 Information Security.

Acquisition Planning

Information security controls should be included in the considerations for any new information system or for the enhancement of any existing information system. The service owner should address the following topics during the planning phase.

  1. Have you identified and classified the information to be provided, accessed, or stored to determine appropriate data protection and handling?
  2. Have you included the university’s data protection contractual language which includes the following:
    1. vendor’s or external party’s documented commitment to employ industry best practices for the protection of university data;
    2. vendor’s or external party’s commitment to provide timely notification of security breaches;
    3. details for handling data upon termination of the contract or agreement?
  3. If the system or application involves credit/debit card payment transactions, have you contacted the university Controller’s eCommerce Office for assurance of compliance with PCI-DSS and the university’s Payment (Credit/Debit) Card Processing Standard?
  4. If the system will house data governed by export controls, have you confirmed that the vendor or external party will not store or transmit data outside of the U.S.?
  5. Have you obtained review and approval from the university CIO prior to securing a contract with a cloud service provider?
  6. If the system is a web application, have you inquired about whether the application supports single sign-on integration?

Resources:

Operational, Physical and Environmental Security

The service owner should address the following security best practices. They may be handled by the vendor or service provider for externally hosted systems. 

  1. Formal change management process
  2. Capacity management planning
  3. Separation of production, test, and development environments
  4. Controls to detect, prevent, and recover from malware
  5. Backup management process
  6. Event log maintenance
  7. Logs of privileged account holders’ activity
  8. Vulnerability management program
  9. Business continuity and disaster recovery planning
  10. Physically secure areas with appropriate access controls

Resources:

Data Management

The service owner should address the following questions during the development phase.

  1. Have you identified the data classification level for information stored or transmitted to/from the system or application?
  2. Before transmitting sensitive university information, have you ensured that agreements are in place between the university and the external party to protect the data?
  3. Before transferring sensitive university information, have you checked the restrictions on how the data is to be handled which may be governed by: 
    1. the Guideline for Data Handling
    2. a Data Security Plan
    3. constraints placed by the data owner or the Data Security Officer
    4. legal, regulatory or contractual restrictions
    5. export control regulations
  4. If using production data containing sensitive or confidential information for testing purposes, have equivalent access controls and other securities been applied to the test system as exist in the production environment?

Resources:

Access Control

The service owner should address the following questions during the implementation phase.

  1. If not using the centrally managed authentication system, are you following a formal password management protocol and adhering to the Standard for password management?
  2. Do you have a formal process for the authorization of user access and are you reviewing user access rights at regular intervals?
  3. Are you ensuring that special accounts with elevated privileges (e.g., root, super user, system admin) adhere to the standard password requirements and are included in a documented audit conducted at least annually?
  4. Is access to systems terminated when an employee leaves or moves to another department?
  5. Are the access rights of student workers and third party users removed upon termination of employment, contract or agreement?
  6. While unique user IDs are the standard, if the business need requires the use of shared user IDs, is there a process in place to change the password frequently and at a minimum whenever a member of the group is terminated or changes jobs?
  7. Have unnecessary vendor-supplied default accounts been removed or disabled or, if an account is required, has the default password been changed prior to production implementation?

Resources: