Security for New IT Purchases

Understand the Software Purchasing Process

Western has a formal process for purchasing software.  You should first review the whole process on the Software Central website.  

Security Touchpoints During the Purchase Process

When purchasing new products, security is embedded throughout the process.  This ensures that new systems meet our requirements for system and data confidentiality, integrity, and availability.  The steps typically are:

  1. Initial security discussion:  At the time that a decision has been made to pursue purchasing a new solution, a representative from the Information Security Office needs to meet with the project lead, a technical lead, and the business owner to discuss the overall scope of the project, and to identify any security concerns.
  2. Procurement process:  When a Request for Proposals (RFP), Request for Quotes and Qualifications (RFQQ), or Request for Information (RFI) is needed, they should contain a list of security related questions for the bidders.  The ISO has a standardized list of questions that can be modified if necessary for a project.  The ISO will score the results when the bids are submitted, and the score will be considered during the vendor selection process.
  3. Security control design: After the preferred solution is chosen, the vendor and technical lead have the primary responsibilities to ensure the system's security controls are properly designed and documented. 
  4. Security design, review, and risk assessment:  If the solution processes confidential data, is internet facing, or is high risk, a formal security design review and risk assessment must be done.  The ISO has templates with all the required security controls.  The technical lead and vendor complete the templates, and also provide a diagram of the solution showing the components, the security boundaries, and information flows.  The ISO then sits down with the technical lead and if necessary, the business owner and vendor to review the design.  The team then goes through the process of identifying any gaps in the controls, and they discuss mitigations. Lastly, everyone identifies any threats to the system and completes the formal risk assessment. See our page on Security Design Review and Risk Assessments for more information.  The security design review and risk assessment must be done prior to final contract signing and system implementation.
  5. Contracting:  Contracts are important to ensure the security, privacy, and breach notification provisions that are the responsibility of the vendor are upheld.  For systems that share data and require a risk assessment, Western requires a data sharing agreement (DSA) based on template. Some of the provisions in the contract include who (at the vendor) has access to the data, how the data is shared and stored, how the data lifecycle is managed, and how the data is destroyed on termination of the contract.  The business owner and technical lead must work with the ISO and University Procurement Office to review the contract and DSA.
  6. Implementation:  During implementation, the technical lead and their team are responsible for ensuring all security controls and mitigations are implemented as stated in the security design review.  The project team should make sure that the Access Management and Logging templates are filled out.  
  7. Post implementation:  After implementation is complete, a representative of the project team must inform the ISO that the project is complete and inform the ISO of any deviation from the security design.
  8. Solution updates:  When the solution has a major change, such as a significant upgrade, the system custodian and system steward must review the security controls in place and update the security design review and risk assessment.  A review must also be done every three years regardless of any changes.

Please email the Information Security Office if you are thinking of purchasing a new system.