Vendor Technical Security Evaluation Revised June 2, 2014 UT Dallas takes seriously its responsibility to protect information assets on behalf of stakeholders such as students, faculty, staff, and the citizens of Texas. When engaging vendors to perform information processing or enable software capabilities, a vendor evaluation is performed to ensure that reasonable controls are in place to manage risk. The questions below have been designed to gain a better understanding of the current processes and protections that a vendor is able to offer UT Dallas. Please respond to the extent the question is applicable, or note when a particular question may not be applicable. Completed surveys will be analyzed and follow-up research may be performed at the discretion of the Information Security department. Not all vendor relationships have the same risk profile. The Information Security department may waive the need for a completed Vendor Evaluation form for lower risk scenarios. Factors that may contribute to higher risk include the transfer of UT Dallas data to the premises of a vendor, providing a vendor with network connectivity to UT Dallas, handling data with associated regulatory requirements, or entering into vendor relationships that could pose risk to the reputation of UT Dallas. Questions and concerns may be directed to infosecurity@utdallas.edu. 1. Provide name, title, and contact information for the vendor representative providing answers below. 2. Provide a general description of the product or service to be provided to UT Dallas, including the problem to be solved or business need to be fulfilled by this new vendor relationship. 3. Describe all data elements that will be provided to the vendor. Examples of data elements include, but are not limited to, social security number (SSN), class grades, medical records, or credit card numbers. 4. Will UT Dallas information will be accessed, stored, or processed at locations outside of the physical control of UT Dallas? If so, will locations be within the United States or outside? 5. Will the product or service be entirely supported by the vendor, or will the vendor also share UT Dallas information with subcontractors? Subcontractor relationships should be described, including the locations of their operations. Will subcontractors be subject to the same security policies and procedures of the vendor contracted by UT Dallas? 6. UT Dallas is subject to various state and federal compliance frameworks. Information shared with vendors is subject to such compliance. Please indicate all applicable compliance frameworks and demonstrate that such compliance has been achieved. Examples include, but are not limited to, FERPA, HIPAA, PCI DSS, and GLBA. 7. Various forms of documentation will help UT Dallas understand the safety and soundness of vendor operations which might affect data security. Examples of such documents include Information Security Policy, SSAE16 (SOC I, II, and III) or SAS70, ISO 27000 certification, IT Audit reports, web application security tests (i.e. OWASP vulnerabilities), and Business Continuity / Disaster Recovery plans and test results. Please provide copies of applicable documents. 8. Are employees who will have access to UT Dallas information subject to background checks and are they required to sign a confidentiality agreement indicating they will not copy or misuse information they have access to in performing their job responsibilities? Describe processes in place to mitigate risk at the time an employee terminates, including remove of logical access and collection of physical assets. 9. Describe data retention and destruction procedures, including methods, timeframes, and applicability during contract, at conclusion of contract, and in the event vendor is acquired or terminates business operations. In the event that UT Dallas data retention and destruction requirements vary from those described, please describe the process to adjust vendor’s procedures to match UT Dallas expectations. 10. UT Dallas expects timely notification of both possible and confirmed data breaches before any other parties are notified. Please describe the communication protocols by which vendor will interact with UT Dallas Information Security including maximum timeframe needed to provide notification. 11. If UT Dallas detects a security or performance concern, please describe the process to obtain vendor support. Distinguish between routine and emergency requests. 12. Provide a technical architecture description or diagram indicating the flow and storage of UT Dallas information between UT Dallas and the vendor’s environments, including subcontractor environments. Include a list of vendor-owned IT assets supporting the contracted product or service, as necessary. 13. Describe the user access architecture you recommend for this product or service. If UT Dallas user credentials will be leveraged, will your systems be compatible with our existing directory services environment? Will vendor maintain a separate database outside of UT Dallas control containing user credentials? How will credentials be encrypted when stored and transmitted? 14. How will data be transported between UT Dallas and the vendor? What method(s) of connectivity will be established and what risk mitigation controls will be utilized, such as encryption of data in transit and data at rest? 15. In addition to encryption methods, please provide general description of the security controls and processes in place to protect UT Dallas information when accessed, stored, or processed in the vendor’s environment. For example, assignment of least necessary user access privileges, formal change control, standardized configurations, backup procedures, timely patch management procedures, event monitor and response. 16. Describe the physical security and environment control capabilities in place for data centers and work spaces where UT Dallas information may be accessed, stored, or processed.