Third Party Software Security and Accessibility Audit

Owned by James Elder (Unlicensed)
Last updated: Oct 18, 2019 by Haley Johnson (Unlicensed)
2 min read

Every third party software vendor we use needs to answer the following questions.

  1. Has your software application been load-tested?

  2. Do you encrypt customer data in storage?

  3. Do you encrypt customer data during transmission across network boundaries?

  4. Do you have a group or individual assigned responsibility for information security?

  5. Do technologies and services you offer adhere to Section 508 of the Rehabilitation Act and the Americans with Disabilities Act?

  6. If employing web-based technology, does your application conform with Level AA accessibility standards set forth in WCAG 2.0?

 

Once these questions have been answered a formal security review of the software must be handled and will be initiated by IS&T. This should occur prior to any contract being signed.

 

Questions/comments should be directed to the director of IS&T.

 

 

Other:

Security Control Requirement

All Users of this Information System must be uniquely identified.

All Users of this Information System must be authenticated via strong/complex password before receiving access to information and functionality.

All Users of this Information System must be configured to restrict user privileges to only the minimum necessary for their job function via roles/role-based access.

Inactive sessions to this Information System must be configured to automatically shut down after a defined period of inactivity.

This Information System must create an audit log that records the details of sensitive transactions (audit logs must include user id, and time/date stamp, access events, and modification events, and other details for password events).

This Information System must be configured to retain audit logs for a minimum of 30 days.

If this Information System transmits Restricted data outside of the University of Utah's network, the Restricted data must be encrypted while in transit.

If this Information System is wholly supported by the University of Utah, the supporting server hardware for this Information System must be located in the downtown data center.

If this Information System's server and hardware is partially or wholly supported by a vendor, the vendor's Statement on Standards for Attestation Engagements No. 16 "Reporting on Controls at a Service Organization" (SSAE 16) report must be on file with the University and included with the response to these minimum security control requirements. (A comparable attestation report for data center controls may be accepted if supplied.)

If this Information System stores Restricted data in the cloud, the Restricted data must be encrypted while in transit to the cloud provider and at rest with the cloud provider.

If this Information System stores Restricted data in the cloud, the Restricted data must not be stored in any off-shore data center locations.

Regular, full backups of this Information System's Restricted data must be taken and tested periodically.

If software development for this Information System is outsourced, the outsourced development must be supervised and monitored by University of Utah employees.

This information System maintains up-to-date patch management for security-related controls.