Office of Information Security - IT / 1
Purpose
Answering the questions contained in this questionnaire will ease the implementation of this software application by clearly outlining which areas of the University will be involved in its planning, testing, deployment, and management of the application.
Who should fill this form?
Units entering agreements and/or purchasing:
· Off-campus software application services, such as Software as a Service providers, Platform as a Service providers, and other types of outsourced or cloud services
· On campus, multi-user software applications
· Software applications extracting data from authoritative systems such as OASIS, GEMS, etc.
It is not the intent of this questionnaire to examine the purchase of academic licensed software installed on single end-user computers (such as Microsoft Office, Adobe Suite, etc.)
When done, please email the form to
Alex Campoe
Director, Office of Information Security
I. Software ApplicationProduct Name
Product Description
Enter a few paragraphs describing the application and how it will be used at USF
Vendor
Vendor Website
Tech Fee #
Enter the Tech Fee number if this purchase was funded with a Tech Fee
Where will the application reside? / ☐ In-House
☐ Off Campus
II. Requestor
Name
Title
College or Department
USF System Area / ☐ Tampa
☐ Lakeland
☐ Sarasota
☐ St. Pete
☐ USF Heath
III. System and Asset Characterization
In order to be able to properly protect the Confidentiality, Integrity, and Availability in the context planning for our USF System Risk Assessment, Business Continuity, and Disaster Recovery of the system and the data it contains, IT needs the following information. Please keep the entire USF System as the scope for the answer on the sensitivity and criticality of the data this application will be handling. Details on each classification can be found with ISSP001 – Sensitivity and Criticality of Data.
Sensitivity
Sensitivity is directly related to the answer to the following question: what would be the repercussion were the system and/or data be exposed or altered by a third party in terms of Financial, Operational, Safety, or Reputation to the USF System. / ☐ Restricted
An asset is considered restricted when access and/or modification of the data is limited. This would include systems containing data protected by FERPA, GLB, and/or other Federal, State, or University policies and regulations.
☐ Unrestricted
Unrestricted data is data for which controls are not mandated by Federal or State regulations, University policy, or by the data owner.
Criticality
Criticality is related to the availability of the data. What would happen if the system and/or data become unavailable? / ☐ Essential
An asset should be considered essential if the loss of availability would cause immediate, severe repercussions for the University.
☐ Required
The asset is considered required when it is important to the campus, but University operations would continue for a certain period of time even if the data is not available
☐ Deferrable
A deferrable asset is an asset that is needed for optimal operation of the University but loss of availability would not cause major issues and the asset can usually be rebuilt or reconstituted from other sources such as manual data input.
Asset Owner
Organizational Unit that will be responsible for the contract with the vendor, filed the Tech Fee proposal (if applicable), and owns the data.
Asset Custodian
Organizational Unit responsible for management and upkeep of the systems and the infrastructure related to the operational part of the project. For institution-wide applications this is normally assigned to IT.
IV. System Interface(s) and Other Requirements
Please identify the need for any of the resources outlined below for the implementation of this project.
☐ Social Security Numbers / Please note that only units specifically allowed to store SSNs are able to do so, after a rigorous security evaluation process performed by the Office of Information Security.
☐ Student Data / Data such as grades, names, email addresses, both Directory and Non-Directory information obtained automatically from OASIS or from the Data Warehouse. Do NOT check this box if the student is being prompted to enter this information.
☐ Employee Data / Data such as names, email addresses, position description, supervisors, or any other data about an employee automatically extracted from GEMS or from the Data Warehouse. Do NOT check this box if the employee is being prompted to enter this information.
☐ Financial Data / Data such as travel information, purchasing, budget, financial aid, or any other financial data automatically extracted from FAST or from the Data Warehouse. Do NOT check this box if the user is being prompted to enter this information.
☐ Account Login and Account Management / Check this box if the system will require user account credentials (login and password) to be maintained, and accounts to be created and removed automatically. NetID authentication is required for multiuser University systems.
☐ Card ID Information / Access to card ID number, classification, or picture must be authorized by Card Services.
☐ Hardware / Indicate whether hardware devices (such as printers. servers or storage devices) will need to be purchased in order to support this project.
☐ Client Software Installation / Will this project require the installation of software on computers on campus, in offices or classrooms? Do NOT check if software application is only going to be accessed through a web browser.
☐ Processing of Payments / Will this software process credit card or other type of payments?
If you did not check any boxes above you are done. If you selected any of the previous boxes please continue to the next sections.
V. Vendor Questions
You may or may not know the answers to these questions. If you do not know please ask your vendor.
Account Management
Which of the following authentication mechanisms are supported? Check all that apply. / ☐ JASIG / CAS
☐ Shibboleth
☐ Secure LDAP
☐ Active Directory / ADFS
☐ None of the above
Do all your client interfaces (mobile site, mobile app, PC client, standard web site) support the same authentication mechanism? If NO, please describe.
How are accounts provisioned and de-provisioned from the system?
System Integration
What interface protocols are available for the communication with other USF systems?
Will data need to move between systems in batch or real-time processing?
Is there a test environment to support the production environment?
List the web browser compatibility matrix for this software if the interface is web-based.
VI. Outsourced Vendor Questions
This session only needs to be filled up if this project involves an application that is maintained off-site.
Security
Describe the data center environment, including any Data Center certification it may have (SSAE 16, etc.).
Where are the physical locations of all Data Centers (primary and redundant) which may end up supporting this application or storing our data?
What firewall and intrusion detection measures are in use to protect the system and USF data?
Is there 24x7 security monitoring?
If not, please describe the security monitoring service level.
Describe all encryption measures that are in place while in transit and at rest?
Are there measures in place to return user data to the University and ensure data scrubbing? Please explain.
Do you have third-party certifications for security practices? Please list.
Do you provide access to debugging/error logs in the system integration process?
Security
List the company policy on sharing or selling of USF contact data contained within the system.
Is USF application data able to be retrieved by anyone other than a USF authorized representative? Please list non-USF authorized staff.
Will USF authorized representatives have full access to USF information for viewing/transferring at all times?
Please describe availability considerations if the answer is no.
Describe the formats in which data can be downloaded by USF.
Are there vendor requirements for data archive / purge or other data retention timeline and capacity consideration?
Support
List the available support and self-service channels.
List the hours of support operations.
List (or attach) support Service Level Agreements.
List the qualification of the support staff.
Product Enhancements
How often are new features introduced?
How are system maintenance windows scheduled?
Do you have flexible upgrade windows for software upgrades?
How do you include customer feedback in the upgrade plan?
Infrastructure / Availability
Is the infrastructure environment a hosted environment, single-tenant or multi-tenant?
How have/will the capacity needs for USF been determined?
Describe the system monitoring that is used.
Describe the back-up and back-up retention schedule.
Provide the uptime/availability statistics.
How is your service protected from disasters?
Please provide (or attach) the Infrastructure Service Level Agreements. What are the ramifications if the SLA’s are not met?
References
Please list other higher education institutions that use the service.
Form Version: 2014013101