Technology Service Selection Requirements

Overview

This policy details the technical considerations that are used to assess the compatibility of prospective services with existing University systems, processes, and IT strategy to aid departments in the assessment and selection process.

Audience

Public

Applicability

All members of the community who may be involved in the assessment or selection of technology services.

Principles

Technology services have two primary components in assessing their compatibility. Functional requirements are those features that the requesting department deem necessary to gain and create value from the service. Technical requirements are those features that IT deem necessary to maintain security, ensure compatibility with related services, and ensure efficient processes can be developed to support it long term.

There are four main areas within the technical requirements that IT assesses for all services:

Service Delivery Model - While many modern services are delivered from the "cloud", some still require on-premise hosting. All services up for consideration must be delivered via the software as a service (SaaS) model, including not only the core service, but any ancillary systems required to be deployed to support it.

Data Security Standards - Any services that will store or process University data are subject to complete and submit the following questionnaire:

  • Do you undergo external information security audits and/or security certifications?  Please provide a copy of or link to your SOC 2 Type 2 report and any other 3rd party assessment reports that are available.

  • Please provide a copy or link to your your Breach/Security Incident Policy and describe your time line for notifying customers in the event of a security incident

  • Please provide a copy or link to your privacy policy and describe what notice you provide to customers when your privacy policy changes

  • What controls are utilized for managing backup, recovery, business continuity and disaster operations for your services?  What is your guarantee for up time?

  • Are cloud servers and/or cloud service providers a part of your solution?  If so, which provider(s) do you employ and where are your data centers physically located?  

  • Will you provide Saint Peter's University data (including aggregated or anonymized information) to any third party in exchange for money, services or other valuable consideration?

  • Please describe your network security capabilities that are in place to protect the solution such as, Firewall (Perimeter and between Internal segments), Web Application Firewall (WAF), Intrusion Detection/Prevention (IDS/IPS - Perimeter and between Internal segments), Network Access Control (NAC), Data Loss Prevention (DLP)

  • Will your employees have access to Saint Peter's University data?  If so, which employees roles will have such access and for what purposes?

  • Do you provide a tool that allows customers to export all of their data without vendor assistance?   If this can only be done with vendor assistance, what is the typical cost and turn around time for such an export?

  • What is your strategy for compliance with GDPR and other regulations related to consumer privacy and data protection?

  • Do your services meet HIPAA standards for securing Protected Health Information (PHI)? 

Data Integration Model - Any services that are sending or receiving data to or from other University services must support one of the following automated integration models:

  • API - the service vendor will provide an applications programming interface (API) that allows for data to be retrieved and or updated in a secure manner.

  • Flat files - the service vendor will provide tools for the export and/or import of data in a text format (csv, xml, etc.) and a secure transport mechanism that can be scripted to run without operator interaction.  Frequently the transport requirement is satisfied by an SFTP site hosted by the vendor.

  • Pre-built integration -  the service vendor has already built an integration with the other service(s) with which it will need to exchange data and the configuration of this pre-built integration is included in the proposal.

  • UI based screen scraping - the service vendor will provide user interface based tools to automate the moving data between it's UI and the UI of another service that is running on the same device at the same time.

Authentication Model - Any service in which members of the University will log in, including systems in which only application administrators log in, must either be on the G Suite pre-integrated application list or otherwise support SAML 2.0 and IdP-initiated SSO. SP-initiated SSO may optionally also be supported, in addition.

While these four areas are general guidelines, depending on the specific service and depth of integration required, more detailed requirements may be identified by IT on a case-by-case basis.

Compliance

Due to the complexity and nuance involved, rather than departments needing to vet prospective services themselves for these technical considerations, an IT Project Request should be submitted and IT will assign a resource to work with the technical contacts of the service provider to evaluate their compatibility.

Exceptions

In specific cases, there may not be a commercially available service that meets both the functional and technical requirements. In these cases of demonstrable business need, a detailed description of the need can be submitted as part of the project request for review.

Enforcement

As described in Saint Peter’s University’s Acceptable Usage Policy, anyone found to have violated this policy may be subject to disciplinary action, up to and including immediate termination.

Approval

Approved by the ITLT on February 10th, 2021.

Details

Article ID: 116746
Created
Wed 9/23/20 9:12 AM
Modified
Wed 9/28/22 7:59 AM

Related Articles (1)

This article contains the University's IT Project Request Policy which helps explain the criteria for distinguishing IT project requests from other types of IT requests and the acceptable process to engage with the Division of IT on any University projects with a technology component.

Related Services / Offerings (1)

Partner with IT on a new project.