Information Services > Security > Security Guidance > Security Review for Hosted Systems
For all DePaul covered data (as defined by the
Information Security Policy), to be hosted as a service by an external vendor, whether the data is furnished by DePaul or collected on the vendor site or through entry by DePaul constituents, care must be taken to ensure that the vendor secures this data in an appropriate manner.
Agreements between DePaul and outside services where the service provider hosts or has access to DePaul covered data must have a contract in place, regardless of the dollar amount of the contract. The Director of Information Security must be notified to review the anticipated use and handling of DePaul data and to review the Application Security Intake Form submitted by the requester.
Service providers should be asked for an independent opinion on the security and controls environment. The SSAE18 (Statement on Standards for Attestation Engagements No. 18) is an attestation standard geared toward an independent auditor providing a statement on the control environment of a service provider. The most significant report within the SSAE18 is the SOC 2 Type 2 which audits the company's security, availability, integrity, confidentiality and privacy controls during a set period of time. It is becoming an industry standard for service providers to provide this to their clients.
If the service provider does not have an SSAE18, the following questions should be raised with them:
If the service that will be provided involves the user of credit cards, determine if the provider is Payment Card Industry Data Security (PCI-DSS) certified.The following elements (if applicable) should be specified contractually between DePaul and the service provider: