Technology Requirements / Security (Required)

Current State Specification

Approved methods of third-party remote access:  WebEx, local vendor account with Cisco AnyConnect VPN. Each third party may be provided with a username and password. This username and password cannot be shared with anyone, including other employees of the same company. Supported access to applications is via Microsoft RDP or SSH.

We are a PCI level 4 merchant and are PCI-DSS SAQ A, SAQ A-EP, and SAQ C. We will not accept applications that fall under PCI-DSS SAQ D. Miami University will not store, transmit or process credit or debit card information using University servers. Credit card processing must be handled via an approved PCI-DSS payment gateway.  Encryption, tokenization and/or a PCI-validated P2PE payment solutions to be used for protecting card data at rest and in transit.

Acceptable credit card application methods

• Through a PCI-DSS compliant automated system that is entirely hosted by a PCI-DSS compliant third-party organization 
• Through an automated system that is hosted in the University data center that does not accept, capture, store, transmit or process credit or debit card information itself but refers the customer to a PCI-DSS compliant system hosted by a third party organization that handles credit and debit card payments on our behalf. The third-party system must not return credit card numbers or verification values to the University-based system
• Compliance with Miami University PCI and Data Security Policy — reference Policy: Payment Card Data Security

Miami University requires the following documents be returned in applicable scenarios described:

• Higher Education Cloud Vendor Assessment Tool (HECVAT Full Version) with supporting documentation as outlined in the questionnaire: To be completed at the time that a contract is signed, or before a pilot is kicked off
• Non-Disclosure Agreement: Located in our Services Agreement, is required to be signed and returned prior to any demonstrations
• Miami PCI document: If a credit card is being utilized anywhere in your system, product, process, etc, responses must be included in your proposal. Indicate whether or not your point of sales system/payment application/payment gateway is PCI compliant. Provide the name under which it is listed on the PCI compliance websites. We will not purchase any applications that fall under PCI DSS SAQ D. An Attestation of Compliance (AoC) and evidence of passing a recent AVS scan should be submitted as part of the proposal

Premise Solution Provider Support Questions 

1. How is Miami University data protected from intentional or accidental exposure or change during transmission within the local network or Internet? What encryption algorithm(s) is (are) used?
2. Describe how your product protects the privacy and confidentiality of student records as outlined in FERPA, HIPAA, etc.
3. How is application activity recorded for use in auditing activities?
4. What information is recorded in the logs?
5. Has your organization experienced any compromised security in the last three years, including the loss of laptops or any removable media on which sensitive data was stored?
6. Has your organization ever experienced a data breach caused by one of your vendors that resulted in the misuse of your company's sensitive or confidential information?
7. Has your organization ever experienced a data breach caused by a cyber attack against one of your vendors that resulted in the misuse of your company's sensitive or confidential information?
8. If yes to one or both questions above, did you make any changes to your organization's vendor risk management program?
9. When a critical security issue is discovered in your product, what is your process for remediating it? Do you send the patch out to your customers as soon as it is ready, or do you send patches out on a fixed cycle (i.e., quarterly patch cycle)?
10. Are your systems scanned (internally and/or externally) for vulnerabilities? Describe the tool(s) used to scan for vulnerabilities in your systems.
11. Are your applications scanned for vulnerabilities? Describe the tool(s) used to scan for vulnerabilities in your applications.
12. Are your applications scanned for vulnerabilities prior to a new release?
13. When a critical security issue is discovered for the underlying operating system used by your product, how long do customers have to wait until that patch is approved for use with your product?
14. Please specify which third-party remote access methods you will use if needed. If you need remote access methods not currently supported by Miami University, outline these requirements.
15. Describe your product’s ability to handle SPAM filters, blacklisting/white-listing policies, and privacy laws to ensure messages are in compliance with relevant legislation and have the best possible chance of being successfully delivered to and read by contacts.
16. Describe how information necessary for the authorization/authentication will be exchanged securely. What encryption algorithm(s) is (are) used?
17. What are the necessary ports and services required for the application (operating system, database, web and other services, the application itself)?
18. Miami will scan the software with common security scanning programs. If there are issues, what is the procedure to verify and correct the issue?
19. Does the solution have the ability to conduct financial transactions (credit cards. ACH, etc.)?
20. Describe how your organization performs web application security verification testing application technical security controls (i.e., protect against vulnerabilities such as cross-site scripting, SQL injection, and so forth). Where possible include references to the OWASP ASVS and OWASP Top 10. 

Remotely Hosted Solution Provider Support Questions 

1. How is Miami University data protected from intentional or accidental exposure or change during transmission within the local network or Internet? What encryption algorithm(s) is (are) used?
2. Describe how your product protects the privacy and confidentiality of student records as outlined in FERPA, HIPAA, etc.
3. How is application activity recorded for use in auditing activities?
4. What information is recorded in the logs?
5. Are audit logs centrally stored and retained? What is the retention period of those logs and how are they protected?
6. Has your organization experienced any compromised of security in the last three years, including the loss of laptops or any removable media on which sensitive data was stored?
7. Has your organization ever experienced a data breach caused by one of your vendors that resulted in the misuse of your company's sensitive or confidential information?
8. Has your organization ever experienced a data breach caused by a cyber attack against one of your vendors that resulted in the misuse of your company's sensitive or confidential information?
9. If yes to one or both questions above, did you make any changes to your organization's vendor risk management program?
10. Describe the process for recognizing, reporting, and responding to unauthorized attempts to access the system and/or data.
11. Do you have breach notification/incident reporting procedures? If so, describe.
12. Does your incident response plan address a cyber intrusion or attack? Does it include but not limited to: a data breach, ransom ware, insider threat, a supplier security incident?
13. When a critical security issue is discovered in your product, what is your process and cycle (i.e., quarterly) for remediating it?
14. Are your systems scanned (internally and/or externally) for vulnerabilities? Describe the tool(s) used to scan for vulnerabilities in your systems.
15. Are your applications scanned (internally and/or externally) for vulnerabilities? Describe the tool(s) used to scan for vulnerabilities in your applications.
16. Are your applications scanned for vulnerabilities prior to a new release?
17. Do you perform periodic vulnerability scans and penetration tests on assets, applications, and systems containing customer data?
18. When a critical security issue is discovered for the underlying operating system used by your product, how long do customers have to wait until that patch is applied to your product?
19. Define the access control roles and what types of controls are applied to employees that will have access to the data.
20. Will our data be in a single tenant or multi-tenant environment?
21. What controls are in place to keep customer systems, applications, and data segregated from other customer assets and inaccessible to other customers or from your internal network?
22. Do you have the capability to recover data for a specific client in the case of a failure or data loss?
23. Describe where the data will be kept. List all locations (i.e. city and datacenter name) where university data will be stored.
24. Does the solution have the ability to conduct financial transactions (credit cards. ACH, etc.)?
25. Do any external entities have access to your data processing facilities, systems, or applications? If so, do you perform due diligence and monitor the compliance and risk of these external entities with which you engage?
26. Describe how your organization performs web application security verification testing application technical security controls (i.e., protect against vulnerabilities such as cross-site scripting, SQL injection, and so forth). Where possible include references to the OWASP ASVS and OWASP Top 10.
27. What types of internal or external audits, if any, are performed for the data center(s)?
28. Describe exactly how you will protect Miami’s information. This should include the following: network/infrastructure security, information storage security, physical security of data center/co-location facility, change control, and patch management, a process for responding to security incidents, backup and disaster recovery, and need-to-know processes.
29. Are ownership rights to all data, inputs, outputs, and metadata retained by the institution? Are these rights retained even through an acquisition or bankruptcy event?
30. In the event of imminent bankruptcy, the closing of the business, or retirement of service, will you provide 90 days for customers to get their data out of the system and migrate the application? Will our data be available to us in a readable, non-proprietary format?
31. At the completion of the contract, will data be returned to the University? How will our data be returned to the university and in what format? How long will university data be available within the system at the completion of the contract? How will the data be destroyed and will it be destroyed at all data locations? Will you provide proof of data destruction?