Vendor Technical Security Evaluation
Revised June 2, 2014
UT Dallas takes seriously its responsibility to protect information assets on behalf of stakeholders such as
students, faculty, staff, and the citizens of Texas. When engaging vendors to perform information processing or
enable software capabilities, a vendor evaluation is performed to ensure that reasonable controls are in place to
manage risk. The questions below have been designed to gain a better understanding of the current processes and
protections that a vendor is able to offer UT Dallas. Please respond to the extent the question is applicable, or note
when a particular question may not be applicable.
Completed surveys will be analyzed and follow-up research may be performed at the discretion of the
Information Security department.
Not all vendor relationships have the same risk profile. The Information Security department may waive the
need for a completed Vendor Evaluation form for lower risk scenarios. Factors that may contribute to higher risk
include the transfer of UT Dallas data to the premises of a vendor, providing a vendor with network connectivity to
UT Dallas, handling data with associated regulatory requirements, or entering into vendor relationships that could
pose risk to the reputation of UT Dallas.
Questions and concerns may be directed to infosecurity@utdallas.edu.
1.
Provide name, title, and contact information for the vendor representative providing answers below.
2.
Provide a general description of the product or service to be provided to UT Dallas, including the problem
to be solved or business need to be fulfilled by this new vendor relationship.
3.
Describe all data elements that will be provided to the vendor. Examples of data elements include, but are
not limited to, social security number (SSN), class grades, medical records, or credit card numbers.
4.
Will UT Dallas information will be accessed, stored, or processed at locations outside of the physical
control of UT Dallas? If so, will locations be within the United States or outside?
5.
Will the product or service be entirely supported by the vendor, or will the vendor also share UT Dallas
information with subcontractors? Subcontractor relationships should be described, including the locations
of their operations. Will subcontractors be subject to the same security policies and procedures of the
vendor contracted by UT Dallas?
6.
UT Dallas is subject to various state and federal compliance frameworks. Information shared with vendors
is subject to such compliance. Please indicate all applicable compliance frameworks and demonstrate that
such compliance has been achieved. Examples include, but are not limited to, FERPA, HIPAA, PCI DSS, and
GLBA.
7.
Various forms of documentation will help UT Dallas understand the safety and soundness of vendor
operations which might affect data security. Examples of such documents include Information Security
Policy, SSAE16 (SOC I, II, and III) or SAS70, ISO 27000 certification, IT Audit reports, web application
security tests (i.e. OWASP vulnerabilities), and Business Continuity / Disaster Recovery plans and test
results. Please provide copies of applicable documents.
8.
Are employees who will have access to UT Dallas information subject to background checks and are they
required to sign a confidentiality agreement indicating they will not copy or misuse information they have
access to in performing their job responsibilities? Describe processes in place to mitigate risk at the time
an employee terminates, including remove of logical access and collection of physical assets.
9.
Describe data retention and destruction procedures, including methods, timeframes, and applicability
during contract, at conclusion of contract, and in the event vendor is acquired or terminates business
operations. In the event that UT Dallas data retention and destruction requirements vary from those
described, please describe the process to adjust vendor’s procedures to match UT Dallas expectations.
10. UT Dallas expects timely notification of both possible and confirmed data breaches before any other
parties are notified. Please describe the communication protocols by which vendor will interact with UT
Dallas Information Security including maximum timeframe needed to provide notification.
11. If UT Dallas detects a security or performance concern, please describe the process to obtain vendor
support. Distinguish between routine and emergency requests.
12. Provide a technical architecture description or diagram indicating the flow and storage of UT Dallas
information between UT Dallas and the vendor’s environments, including subcontractor environments.
Include a list of vendor-owned IT assets supporting the contracted product or service, as necessary.
13. Describe the user access architecture you recommend for this product or service. If UT Dallas user
credentials will be leveraged, will your systems be compatible with our existing directory services
environment? Will vendor maintain a separate database outside of UT Dallas control containing user
credentials? How will credentials be encrypted when stored and transmitted?
14. How will data be transported between UT Dallas and the vendor? What method(s) of connectivity will be
established and what risk mitigation controls will be utilized, such as encryption of data in transit and data
at rest?
15. In addition to encryption methods, please provide general description of the security controls and
processes in place to protect UT Dallas information when accessed, stored, or processed in the vendor’s
environment. For example, assignment of least necessary user access privileges, formal change control,
standardized configurations, backup procedures, timely patch management procedures, event monitor
and response.
16. Describe the physical security and environment control capabilities in place for data centers and work
spaces where UT Dallas information may be accessed, stored, or processed.