Skip Navigation
Division of IT Home
University of Missouri System
University of Missouri-Columbia
Division of IT: Applications Security

Information Technology Procurement

More info

Support

Security Requirements for Information Technology Purchases

As part of the selection process vendors must demonstrate compliance with the security criteria listed below by responding in writing to every statement and question in the six categories. Vendor responses will be reviewed and remediation measures may be suggested for any areas that fall short of the minimum security criteria.

The security criteria are subject to additions and changes without warning. The University of Missouri reserves the right to periodically audit the hardware and/or software infrastructure to ensure compliance with industry best practices and these standards. Per University policy, all applications must be registered with the Division of IT, Information Security & Account Management group. Additionally, applications must be assigned the appropriate data classification level and meet the applicable security requirements for that level. All applications must also undergo a security inspection.

A consultation with ISAM is required to ensure the appropriate security requirements are met. This consultation can be scheduled by contacting isam@missouri.edu.

Instructions

Explicit technical responses to the following statements and questions are required, or an acknowledgement where indicated. Please include any security whitepapers, technical documents, or policies that are applicable. The University of Missouri requires compliance with the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry (PCI) specifications, and all other applicable state, local and federal laws and regulations.

General Security

  1. The vendor must provide a proposed architecture document that includes a full network diagram of the environment, illustrating the relationship between the environment and any other relevant networks, with a full data flowchart that details where data resides, the applications that manipulate it, and the security thereof.
  2. The vendor must acknowledge that they are able to, and will immediately disable all or part of the system functionality should a security issue be identified.
  3. The vendor must demonstrate compliance with all legal regulations applicable to the data accessed, transmitted, or stored. The vendor must disclose plans for complying with applicable regulations including details about the information collected and stored. Details of any third party reviews related to regulatory compliance must be included.
  4. The vendor must provide documentation that shows that they follow industry standard best practices for system configuration and development.

Physical Security

  1. The equipment must be located in a secure facility with the use of physical tokens for access, at a minimum.
  2. The vendor must disclose the personnel roles for vendor or third party staff who will have access to the hardware for the University of Missouri managed system or application.
  3. The vendor must provide their procedures for granting physical access and their process for auditing the access list.

Network Security

  1. The vendor must acknowledge that it deploys a host-based firewall.
  2. The vendor must acknowledge that it deploys network-based firewall technology if data between the University of Missouri and the vendor will go over the Internet.

Host Security

  1. The vendor must disclose how and to what extent the University of Missouri data is segregated and protected from other customers.
  2. The vendor must disclose how and to what extent the hosts comprising the University of Missouri infrastructure have been hardened against attack. If the vendor has hardening documentation, provide that as well.
  3. The vendor must ensure the application of current non-critical patches on hosts, including host OS patches, web servers, databases, and any other application. Describe the time duration that typically passes from notification of patch availability to their application. The University expects non-critical patches to be applied within 30 days of release. This question applies to hosts, including host OS patches, web servers, databases, and any other applicable application.
  4. The vendor must ensure that critical patches are applied in a timely manner. Describe the time duration that typically passes from notification of critical patch availability to their application. The University expects critical patches to be applied within 15 days. This question applies to hosts, including host OS patches, web servers, databases, and any other applicable application.
  5. The vendor must provide their procedures for system administrator access and their process for auditing the access list.

Application Security

  1. The vendor must describe their process for applying non-critical application patches.
  2. The vendor must provide their policies for responding to application security vulnerabilities and applying security patches.
  3. The vendor must disclose their processes for monitoring the application/system integrity and availability.
  4. The vendor must provide information on their password policy for the University of Missouri application instance, including minimum password length, password generation guidelines, and how often passwords are changed. The University’s minimum expectations are 8 characters comprised of alpha numeric with upper and lower case and at least 1 special character.
  5. The vendor must disclose how user authentication works.
  6. The vendor must provide their procedures for granting elevated application permissions (i.e., privileged access for management, reporting and maintenance of the application) and their process for auditing the access list.

Web Security

  1. The vendor must provide their documentation for conducting security Quality Assurance testing for the application. Testing must include authentication, authorization, and accounting functions, as well as any other activity designed to validate the security architecture.
  2. The vendor must disclose their process for web code review for the explicit purpose of identification and remediation of security vulnerabilities. Details on who conducted the review, the results, and any remediation activity that has taken place must be included.

Cryptography

  1. The vendor must acknowledge that they will deploy cryptographic technology to protect traffic between the University of Missouri and the vendor.
  2. The vendor must use cryptographic algorithms that have been published and evaluated by the general cryptographic community. The University of Missouri infrastructure cannot utilize homegrown cryptography.
  3. The vendor must provide documentation on the PKI requirements for the University of Missouri infrastructure.
  4. The vendor must acknowledge that remote administration of the system shall be done using encrypted channels.
University of Missouri
Division of Information Technology
615 Locust Street, Columbia, MO 65211
(573)882-2000
Copyright ©2007 Curators of the University of Missouri.
DMCA and other copyright information.
An equal opportunity/affirmative action institution.
Revised March 26, 2008