The University processes, stores, and transmits an immense quantity of electronic information to conduct its academic and business functions. Without the implementation of appropriate controls and security measures, these assets are subject to potential damage or compromise to confidentiality or privacy, and the activities of the University are subject to interruption.
Full list of security criteria
- What services will be provided?
- Will there be PII, restricted, or other notification triggering data stored?
- What other services could be provided?
- Even if it is not in the plan, what is the likely scenario of expanded use of provided services or adding new services if this is adopted?
- How long is the agreement?
- How likely is it that the costs will increase at the end of the agreement?
- Does the agreement include a warranty that it will perform?
- What is the SLA?
Data Management and Ownership
- How are data removed if we terminate the relationship?
- How are data deleted? Is the deletion confirmed?
- Are data stored entirely in the US?
- Do we own our data?
- How are we notified in the event of a legal demand for data?
- Who is responsible for producing data? UCI?
- What tools are in place for eDiscovery? How can we find data? How can we preserve data?
- When a user removes their data from the provider, does the provider retain any rights to continue using that data? How long will the data remain with the provider (in online and offline storage)
- Where is the governing law?
- Are there clear, accurate, and exhaustive network and data communication flow diagram(s)?
- How is authentication and authorization performed? Does it integrate into campus authentication systems?
- What are expected transition issues?
- How are data transferred to and from the provider for the transition?
- Does the provider have an adequate security plan and does it map to other compliance frameworks?
- Has the provider’s security plan been audited by a trustworthy and certified third-party?
- Does the provider have a response to the CSA controls?
- Has the provider signed a BAA?
- Are the data encrypted?
- Is the provider certified to meet other compliance requirements (HIPAA, FERPA, PCI, etc.)?
- Are there clear areas where the service should not be used?
- Will we be notified within 48 hours of a breach?
- Who is responsible for notifying users of a breach?
- If the compromise is a result of negligence on the provider’s behalf, will the provider or the campus be responsible for this notification and related expenses?
- Does the provider have insurance? How much is the insurance and what does it cover?
- How does using the system affect our ability to detect compromised accounts?
- How does using the system affect our ability to respond to phishing messages?
- Are there mechanisms to detect and report anomalous authentication attempts or account compromise?
- What are the provider’s anti-spam/anti-phishing capabilities?
- What is logged?
- How are logs viewed and accessed?
- Can logs be integrated with our tools?
- Is there an ability to identify which messages were accessed during a session?
- Does the audit capability provide a complete session profile, meaning that transactions can be audited through all of the infrastructure components (such as load balancers) back to an individual session?
- Does the provider perform backups? How frequently? How long are they retained?
- Where are the backups stored? Are the backups encrypted?
- Can individual messages or items be recovered?
- If so, how does that affect our eDiscovery mechanisms?
- In the past 12 months, have there been any regulatory or legal findings that are available regarding data security or privacy related to the provider? What are those findings?
- Are peer institutions adopting this provider’s services?
- What are the findings of satisfaction or concern?