Services Security Checklist: Updated for BPM 3.4.4

UPDATE: Effective November 2021, the University System of Georgia requires Georgia Tech to perform a review of all suppliers and 3rd parties that have access to Georgia Tech systems and/or data to ensure adequate protections are in place as required by law, regulation, and system/state policies. This intake form is required and must be completed in full before the required third-party security review is initiated.

  • The use of external service providers’ services and products can result in cost savings, as well as help the Institute deliver instruction, collaborate, and share information and ideas.
  • While it can be quite simple to buy a license for a product or create an account with a cloud service provider and start using their service, there are some things we need to consider to ensure we are meeting our obligations to our students, each other, and the University System of Georgia (USG).

Before entering into an agreement with any vendor, even in the context of agreeing to an End User License Agreement for software you intend to use for Georgia Tech business, it is important to consider the following:

  • Care should be taken when considering the type of data to be stored, processed, and transmitted using the product or service:
    • Is this data subject to regulatory standards and/or protected by state, federal, or international law?
      • Examples include but are not limited to FERPA (Family Education Rights Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), CUI (Controlled Unclassified Information), GDPR (General Data Privacy Regulations)
    • Does the Institute consider this information to be sensitive?  

The BPM 3.4.4 Process now includes the Third-Party Security Assessment (TPSA) process
  • Third-Party Security Assessments (TPSA) are security assessments now conducted as part of the BPM 3.4.4 process, by OIT Cyber Security, to confirm if a vendor’s product or service has information, data, and cybersecurity policies in place to protect GT sensitive institutional information and constituents' PII, and establish a Risk score required by USG.
  • The TPSA utilizes 3rd Party Security Certifications and Assessments of the Vendor (e.g., SOC 2 Type 2 report) as well as Self-Assessments (e.g., the Higher Education Community Vendor Assessment Tool (HECVAT)) (see list in “Steps for initiating a Third-Party Security Assessment below).
  • When are TPSAs Required?
    • TPSAs are now required for all:
      • New third-party services.
      • Annual reviews
      • Contract Amendments
      • Zero Cost contracts
  • OIT Cyber Security will work with service owners to review (annually) User Entity Controls (UECs).
  • To conduct Third-Party Security Assessments, OIT Cybersecurity may evaluate user entity controls using additional third-party assessment tools such as Security Scorecard to identify and/or evaluate control weaknesses.
  • These assessments may be used in conjunction with other appropriate security reports, as needed, such as SOC2 or HECVAT to evaluate new or existing tools (renewals).
    • Note: The criteria used to evaluate controls are generally not published to not encourage vendors to “code around” them.

Steps for initiating a Third-Party Security Assessment:

Please Note: GT Sponsor (GT Employee (faculty or staff) only) of the Product, will need to Request the Vendor provide the following: 

  1. Please request from the Vendor one or more of these Assessment Reports/Certifications and attach them to the BPM 3.4.4 Form when you create it further in the process (see #2 below):
    1. FedRamp Medium or High Certificate                             OR
    2. ISO 27001 or ISO 27002 Certificate (not expired)            OR
    3. SOC2 Type 2 Report (not more than 3 years old)            OR 
    4. HECVAT filled out by Vendor (not over one year old)
      1. HECVAT FULL v3.02  "https://library.educause.edu/-/media/files/library/2022/3/hecvat302.xlsx"
      2. HECVAT LITE v3.02  "https://library.educause.edu/-/media/files/library/2022/3/hecvatlite302.xlsx"

Note: in cases where a specific report is not available from or about the Vendor, OIT (Office of Information Technology) Cyber Security may request additional supporting security reports or documentation.

  1. Once you have one or more of the documents above,  go to the “Services & Support” page for “Procurement”
    1. In the Service Catalog section, you will launch: ‚ÄčBPM 3.4.4 Supplier Contracts Assessment Intake - Intake form required for all supplier/3rd party contracts 
    2. After you launch the BPM 3.4.4 Supplier Contracts Assessment Intake Form:
      1. Please provide the following in your Description:
        1. To complete this TPSA, we need your help getting the following information. You may have part of the information, but the rest would be from the Vendor:
          1. For Procurement linking: (one of the following is Required: Contract#, PO#, Requisition#, INCIDENT #, or some other Procurement Referenceable Number or ID?  
          2. Vendor Contact Information: Vendor, Sales Rep, contact information (address, phone, email)  
    3. Attach the documents requested in #1 above to this Ticket or comment that you have them.

A Compliance Analyst will contact you for any further questions or instructions.

As part of this TPSA process, Data Stewards may Review and Approve, Request Clarifications, or Reject a TPSA report.


Escalation path – if the TPSA report is rejected, next steps? 
  1. If the TPSA report is deemed Unacceptable by the Data Steward, all appeals will go through a Risk Panel.
  2. The GT Sponsor should document how and why this product should be approved. The GT Sponsor will submit this appeal to the Risk Panel for their consideration.

Contact GT procurement and GT Legal to assist with purchasing the product or service:


For Services that store, process, or transmit research data (including CUI data) and may support Sponsor Data, the GT Sponsor must contact the appropriate OSP/GTRC Contracting Officer, to ensure the desired service meets contract requirements. Verify the service agreement for the product or service provides the following guarantees:

  • Georgia Tech maintains sole ownership of our data
  • If the vendor is hosting our data:
    • They must notify Georgia Tech in the event of a data breach
    • Georgia Tech has the right to reclaim our data
    • Georgia Tech has the right to review independent audit reports or to audit the cloud service provider
    • If the service is a cloud service, ensure they have implemented the following security measures [2] if you are considering using the service in conjunction with sensitive GT data:
      • Storage encryption
      • Transmission encryption
      • Password protection
      • Data backup
      • Secure data/drive disposal

[1] Please Note: The BPM 3.4.4 Process, which includes the Third-Party Security Assessment (TPSA), must be initiated by a GT Sponsor (Faculty or Staff only) who will be the Point of Contact (POC) for the BPM 3.4.4 Contracting process. You, as the GT Sponsor/POC, not the vendor, need to obtain the required documentation and submit it via the BPM 3.4.4 Intake Form, as described above. IMPORTANT: Any BPM 3.4.4 Intake Form submitted by a vendor may be rejected.
 

[2] The complete list of cloud security requirements for sensitive data is located in the Georgia Tech Data Protection Safeguards: http://b.gatech.edu/dps. Contact GT Cyber Security if assistance is needed with security issues: ask@security.gatech.edu