Vendors that provide the university with systems that store, process, or transmit confidential data as defined by the university’s Data Classification Policy must sign the university’s Vendor Privacy Agreement and must comply with the following minimum security and operational guidelines in order to do business with the university:
1.0 Audit and Compliance
- If the system involves payment card processing, vendor must submit the following documents:
- Attestation of Compliance with Payment Card Industry Data Security Standards https://www.pcisecuritystandards.org/
- Statement from auditor for compliance with ISO/IEC 27001 or its equivalent standard including certification that the audit met the standard.
- Statement from auditor for compliance with SAS 70 / SSAE 16.
- Payment process flow diagram
- The university protects copyrighted material including university logos, emblems, images, and gif files; these must be used only with University approval.
2.0 Web Accessibility
- The university is committed to ensuring that no barriers exist to prevent interaction with, or access to, websites by people with disabilities. Vendor must demonstrate that the proposed solution conforms to or addresses each of the W3C's Web Content Accessibility Guidelines (WCAG) Level AA (including Level A).
Vendors must submit either a Voluntary Product Accessibility Template (VPAT) 2.0 based on WCAG 2.0 Level AA (https://www.w3.org/TR/WCAG20/) or an independent third party evaluation from a qualified accessibility consultancy.
3.0 Data Controls
- A data integration plan must be documented. Data elements coming from university systems and going into the vendor’s system and data elements being sent from vendor’s system to the university must be identified and documented.
- If university data is being updated, a description of how the updates are made must be provided for both an initial data load and ongoing data integration.
- Vendor is required to sign the university’s Vendor Privacy Agreement if system stores, processes or transmits confidential data.
- Vendor agrees not to sell or share university data with third party vendors.
- If payment processing is involved, vendor must use secure point to point data encryption methods that are listed as approved by the PCI (https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions)
- Vendor must provide capabilities for storing and processing full Legal Name and Preferred First Name if any name service (student name, employee name, etc.) is included in the solution.
4.0 Identity Management and Account Access
- Vendor must describe the method for login management, single sign on and integration.
The system must meet the following identity access management standards:
- Login processes can authenticate using Single Sign On utilizing a custom authentication method or SAML 2.0+ if available. Active Directory, CAS, LDAP are not supported at this time.
- If the vendor does not support single sign on and is providing identity access accounts, the vendor must:
- Provide for a unique login identity and password that is encrypted in storage and at rest. Vendor will manage issuing login accounts, password attributes, password resets, minimum password length, password generation guidelines, password expiration, and other access identity management processes using standard industry practices for security and privacy. Describe in detail the following processes:
Creating, suspending and terminating accounts
Password security protocols
5.0 Technical and Network Architecture
- Vendor must supply the following documentation if required:
- Any and all firewall rules
- Custom domain names, email configurations, messaging integration, or other configurations required for successful network and communications connectivity to the system.
- A network architecture diagram that details traffic flows, any and all ports and protocols, and any and all communication requirements.
- If proposing an on-premise solution, vendor must provide high-level network and process flow diagrams and a description of the proposed architecture.
- Vendor may be required to provide a test environment available to the University for upgrades and ongoing testing and verification.
- Describe how upgrades are handled and university control of the timing of upgrades. If proposing a cloud or software-as-a-service solution, provide a cadence for planned outages including time zone considerations for Eastern Time Zone.
- Vendor must provide timely notification of required security patches.
- Describe storage and record limits associated with the proposed solution. Describe when additional storage or record purchases are necessary. If proposing a cloud or software-as-a-service solution, describe limitations for storage and archival of data.
Email, SMS and Push Notification - if system includes email:
- If applicable, solutions must:
- Comply with the Telephone Consumer Protection Act and Can-Spam Act
- Comply with Google's Bulk Senders Guidelines.
- Have a valid MX, A, and PTR record for email servers.
- Comply with Common Internet Message Headers.
- Stay within the single user limits outlined in Google G Suite Sending Limits.
- Allow the application administrator to disable specific email messages.
- If system involves push notifications system must integrate with the university's mobile app.
Systems purchased outside of the scope of these guidelines will not be allowed to connect to the NMU network, and will not be supported by NMU’s Information Technology Department. NMU’s Committee on Information Security Operations retains final decision authority for the use of systems that process, store or transmit confidential data.
See Vendor Privacy Agreement Procedure for information about the process for implementing a system that stores confidential data.