BYU Information Security Requirements for Vendors
Brigham Young University (“BYU”) contracts vendors to provide the services BYU needs to better accomplish its mission (“Vendors”). Where a Vendor must access BYU-owned data to perform services for BYU, the Vendor is responsible to implement the information security requirements described below. These requirements are incorporated into the terms and conditions of any applicable agreement for the Vendor to provide services to BYU (“Service Agreement”). Also, these requirements do not replace or supersede any requirements otherwise agreed to by BYU and a Vendor.
“BYU Data” includes all data (in any format) that, as a result of the Services, BYU allows Vendor to access, possess, view, or otherwise Process.
“Processing” (or to “Process”) means the collection, access, use, disclosure, transmission, transfer, retention, storage, destruction, conversion, incorporation, anonymization, or transformation in any manner of BYU Data.
“Services” means authorized services performed by Vendor pursuant to the Service Agreement.
“Third-Party Hosting Services” means those parts of the Services provided, on Vendor’s behalf, by someone or some entity other than Vendor.
“Vendor’s Agents” means any and all agents, representatives, employees, and contractors of Vendor, including providers of Third-Party Hosting Services.
Prior to contracting to provide Services, the Vendor must complete the CES Security Operations Center’s Security Questionnaire (“Questionnaire”) with information related to the Vendor’s key security practices and capabilities, as well as those of Third-Party Hosting Services, to determine if they are sufficient to protect BYU Data. Upon BYU’s request, the Vendor must provide to BYU updated responses to the Questionnaire so that BYU may assess any changes to the Vendor’s key security practices and capabilities.
INFORMATION SECURITY MANAGEMENT
The Vendor must maintain an information security program, including key roles and responsibilities, such as information security leadership, budget, operations, policy, incident response, and training and awareness. The Vendor must assess enterprise information security risks at least annually, including tracking reasonable progress with remediation plans.
LEGALLY REQUIRED DATA GOVERNANCE STANDARDS
The Vendor must take reasonable measures to ensure that all legally or industry required governance standards applicable to BYU Data and the Services are met (e.g., Federal Acquisition Regulations requirements, Payment Card Industry requirements, etc.).
HUMAN RESOURCE SECURITY
The Vendor must maintain a current list of all Vendor’s Agents with access to BYU Data and promptly provide a copy of the list to BYU upon request. The Vendor must perform pre‐hiring background screening for all of the Vendor’s Agents with access to BYU Data. The Vendor must also train Vendor’s Agents to comply with these requirements, as well as any applicable requirements in the Service Agreement, and obtain from each of Vendor’s Agents a signed agreement with covenants of confidentiality at least as restrictive as those contained in the Service Agreement.
ACQUISITION AND VENDOR MANAGEMENT
The Vendor must ensure that only reputable products and, if permitted, downstream vendors are used in Services. Where the Service Agreement permits use of downstream vendors, these requirements must be contractually required for downstream vendors.
INVENTORY AND ASSET MANAGEMENT
The Vendor must maintain an accurate inventory of hardware and software products used for the Services and promptly provide a copy to BYU upon request.
SECURE CONFIGURATIONS AND PATCHING
Infrastructure and platform systems, such as (physical and virtual) servers, databases, storage systems, and network devices used for the Services must use vendor-supported software with the latest security patches, and configured according to industry best practice guidelines.
The Vendor must (i) store all BYU Data in the continental United States, except where provides specific written consent; (ii) provide to BYU, upon request, the physical location of each and every server that may Process or store BYU Data, all Third-Party Hosting Services used by Vendor in connection with the Services, and the identity of and business relationship will all Vendor’s Agents used to fulfill the Services (including providers of Third-Party Hosting Services); and (iii) provide at least seven days’ written notice to BYU before any server physical location changes.
DATA RETURN AND PURGE
BYU retains ownership of BYU Data. Upon termination of the Service Agreement, Vendor must immediately return all BYU Data in its possession to BYU and purge it from its systems upon termination of agreement.
SEARCH, RETENTION, AND DESTRUCTION OF DATA
Vendor must develop and enable data search, retention, and destruction capabilities to allow BYU to implement its data retention programs, efficiently achieve litigation holds, and locate, collect and preserve data, including metadata. Vendor must create and deploy processes and controls that allow for the effective and efficient authentication of BYU Data. Immediately upon notice by BYU of a litigation hold relative to BYU Data, Vendor must maintain and preserve the integrity of BYU’s Data, suspend the deletion of all BYU’s Data subject to the litigation hold, and ensure ready access to BYU Data by BYU or its legal representatives.
Vendor must notify BYU within 24 hours of the service of any subpoena or other legal process seeking BYU Data, and will assist and cooperate with BYU in responding to such legal process. In addition, Vendor must make reasonable efforts not to release BYU Data pending the outcome of such legal process.
NETWORK AND BOUNDARY PROTECTION
The Vendor must maintain reasonable inbound and outbound security restrictions for application and network communications associated with BYU Data and related services. Where possible, BYU Data must be maintained on non‐shared servers, instances, and databases.
VULNERABILITY DETECTION AND REMEDIATION
Frequent vulnerability detection and remediation must be performed for all compute environments where BYU Data is located and for any Vendor management systems and services that could impact the security of BYU Data.
Where custom applications are developed by the Vendor for BYU, those applications must be developed using coding techniques that minimize common vulnerabilities, such as those described by the Open Web Application Security Project (OWASP).
The Vendor must maintain information, application, and service resilience adequate to meet agreed upon service level agreements, including the implementation of disaster recovery and avoidance procedures, and daily data backups of data.
The Vendor must restrict access by Vendor’s Agents to BYU Data to only that needed to adequately perform the Services. BYU Data must be isolated from other customers and external entities, except for Third-Party Host Providers. Vendor must use strong encryption for BYU Data at rest and in transit. Administrative access to system and application functions associated with BYU Data must require multi‐factor authentication. Vendor must conduct regular security assessments of Vendor’s Agents with access to BYU Data, information systems or facilities, and restrict Vendor’s Agents from subcontracting duties with respect to the Services without prior approval by Vendor and BYU. Upon BYU’s request, Vendor must promptly suspend or terminate access by Vendor’s Agents to ensure the security of BYU Data, information systems and facilities.
The Vendor must log and monitor critical application, system, and account security events. Where possible, the Vendor must enable API access for security‐event logs to be accessed by BYU log‐collection processes.
The Vendor must implement reasonable perimeter and facility physical security controls.
THIRD-PARTY SERVICE PROVIDERS
The Vendor must contractually require that all Third-Party Services Providers storing or Processing BYU Data maintain information security standards and practices at least as restrictive as those listed here and in the Service Agreement.
Questions? Please contact the CES Security Operations Center.