BYU Information Security Requirements for Vendors
Introduction
Brigham Young University (“BYU”) contracts with vendors to provide the services BYU needs to better accomplish its mission (“Vendors”). Where a Vendor has need to access BYU-owned data in order to perform services for BYU, the Vendor is responsible to implement the information security requirements described below. These requirements are incorporated into the terms and conditions of each applicable service agreement between Vendor and BYU (“Service Agreement”). Also, these requirements do not replace or supersede any requirements otherwise agreed to by BYU and a Vendor and contained in the Service Agreement.
Definitions
“BYU Data” includes all data (in any format) that, as a result of the Services, BYU allows Vendor to access, possess, view, or otherwise Process.
“Processing” (or to “Process”) means the collection, access, use, disclosure, transmission, transfer, retention, storage, destruction, conversion, incorporation, anonymization, or transformation in any manner of BYU Data.
“Services” means authorized services performed by Vendor pursuant to the Service Agreement.
“Third-Party Hosting Services” means those parts of the Services provided, on Vendor’s behalf, by someone or some entity other than Vendor.
“Vendor’s Agents” means any and all agents, representatives, employees, and contractors of Vendor, including providers of Third-Party Hosting Services.
Requirements
SECURITY CONFORMANCE
Prior to contracting to provide Services, or within a reasonable period of time mutually agreed upon by BYU and Vendor, the Vendor will provide a completed security audit report, certificate of conformance, or a formal attestation of conformance (e.g. HECVAT, CAIQ) related to the Vendor’s key security practices and capabilities, as well as those of Third-Party Hosting Services, to determine if they are sufficient to protect BYU Data. Additionally, the Vendor will provide to BYU copies of its information security policies and procedures for review.
Upon BYU’s request, the Vendor will provide to BYU updated documentation so that BYU may assess any changes to the Vendor’s key security practices and capabilities.
The following are the preferred conformance documents:
- Third-party SOC2 Type II report
- Third-party SOC2 Type I report
- ISO 27001:2013
- HECVAT/HECVAT Lite v3 or later (The HECVAT Full is required for information systems that contain restricted data, as determined by BYU. Otherwise, a HECVAT Lite is acceptable.)
- CAIQ v4 or later
If the Vendor does not have any of the above listed documents, please complete the appropriate HECVAT. You can download either Full or Lite from the EDUCAUSE website at https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit#tools
INFORMATION SECURITY MANAGEMENT
The Vendor will maintain an information security program, including key roles and responsibilities, such as information security leadership, budget, operations, policy, incident response, and training and awareness. The Vendor will assess enterprise information security risks at least annually, including tracking reasonable progress with remediation plans.
LEGALLY REQUIRED DATA GOVERNANCE STANDARDS
The Vendor will take reasonable measures to ensure that all legally or industry required governance standards applicable to BYU Data and the Services are met (e.g., Federal Acquisition Regulations requirements, Payment Card Industry requirements, etc.).
HUMAN RESOURCE SECURITY
The Vendor will maintain a current list of all Vendor’s Agents with access to BYU Data and promptly provide a copy of the list to BYU upon request. The Vendor will perform pre‐hiring background screening for all of the Vendor’s Agents with access to BYU Data. The Vendor will also train Vendor’s Agents to comply with these requirements, as well as any applicable requirements in the Service Agreement, and obtain from each of Vendor’s Agents a signed agreement with covenants of confidentiality at least as restrictive as those contained in the Service Agreement.
ACQUISITION AND VENDOR MANAGEMENT
The Vendor will ensure that only reputable products and, if permitted, downstream vendors are used in Services. Where the Service Agreement permits use of downstream vendors, these requirements will be contractually required for downstream vendors.
INVENTORY AND ASSET MANAGEMENT
The Vendor will maintain an accurate inventory of hardware and software products used for the Services and promptly provide a copy to BYU upon request.
SECURE CONFIGURATIONS AND PATCHING
Infrastructure and platform systems, such as (physical and virtual) servers, databases, storage systems, and network devices used for the Services, will use vendor-supported software with the latest security patches, and configured according to industry best practice guidelines.
DATA LOCATION
The Vendor will (i) store all BYU Data in the continental United States, except where express prior written approval has been obtained from BYU; (ii) provide to BYU, upon request, the physical location of each and every server that may Process or store BYU Data, all Third-Party Hosting Services used by Vendor in connection with the Services, and the identity of and business relationship will all Vendor’s Agents used to fulfill the Services (including providers of Third-Party Hosting Services); and (iii) provide at least seven days’ written notice to BYU before the physical location of any server changes.
DATA RETURN AND PURGE
BYU retains ownership of BYU Data. Upon termination of the Service Agreement, Vendor will immediately return all BYU Data in its possession to BYU and will purge all BYU Data from its systems.
SEARCH, RETENTION, AND DESTRUCTION OF DATA
Vendor will develop and enable data search, retention, and destruction capabilities to allow BYU to implement its data retention programs, efficiently achieve litigation holds, and locate, collect, and preserve data, including metadata. Vendor will create and deploy processes and controls that allow for the effective and efficient authentication of BYU Data. Immediately upon notice by BYU of a litigation hold relative to BYU Data, Vendor will maintain and preserve the integrity of BYU’s Data, suspend the deletion of all BYU’s Data subject to the litigation hold, and ensure ready access to BYU Data by BYU or its legal representatives.
SUBPOENAS
Vendor will notify BYU within 24 hours of the service of any subpoena or other legal process seeking BYU Data, and will assist and cooperate with BYU in responding to such legal process. In addition, Vendor will make reasonable best efforts not to release BYU Data pending the outcome of such legal process.
NETWORK AND BOUNDARY PROTECTION
The Vendor will maintain reasonable inbound and outbound security restrictions for application and network communications associated with BYU Data and related services. Where possible, BYU Data will be maintained on non‐shared servers, instances, and databases.
VULNERABILITY DETECTION AND REMEDIATION
Frequent vulnerability detection and remediation will be performed for all computing environments where BYU Data is located and for any Vendor management systems and services that could impact the security of BYU Data.
APPLICATION SECURITY
Where custom applications are developed by the Vendor for BYU, those applications will be developed using coding techniques that minimize common vulnerabilities, such as those described by the Open Web Application Security Project (OWASP).
SERVICE AVAILABILITY
The Vendor will maintain information, application, and service resilience adequate to meet agreed upon service level agreements, including the implementation of disaster recovery and avoidance procedures, and daily data backups of data.
ACCESS CONTROL
The Vendor will restrict access by Vendor’s Agents to BYU Data to only that needed to adequately perform the Services. BYU Data will be isolated from other customers and external entities, except for Third-Party Host Providers. Vendor will use strong encryption for BYU Data at rest and in transit. Administrative access to system and application functions associated with BYU Data will require multi‐factor authentication. Vendor will conduct regular security assessments of Vendor’s Agents with access to BYU Data, information systems, or facilities, and will restrict Vendor’s Agents from subcontracting duties with respect to the Services without prior approval by Vendor and BYU. Upon BYU’s request, Vendor will promptly suspend or terminate access by Vendor’s Agents to ensure the security of BYU Data, information systems, and facilities.
SECURITY MONITORING
The Vendor will log and monitor critical application, system, and account security events. Where possible, the Vendor will enable API access for security‐event logs to be accessed by BYU log‐collection processes.
PHYSICAL SECURITY
The Vendor will implement reasonable perimeter and facility physical security controls.
THIRD-PARTY SERVICE PROVIDERS
The Vendor will contractually require that all Third-Party Hosting Services providers storing or Processing BYU Data maintain information security standards and practices at least as restrictive as those listed here and in the Service Agreement.
Questions? Please contact the CES Security Operations Center.