Technology Procurement - Security Approval

Issue/Question
  • What is taken into consideration regarding the security approval portion of the procurement process?

 

Overview

The Technology Procurement process includes a security assessment to determine if the hardware, software, or service meets DSU's standards. This article covers some of those considerations that may lead to a purchase being approved or denied.

 

Environment

  • All technology procurement requests.

 

Guide

 

Cause for immediate deny:

Vendor/company's primary headquarters is in China, Iran, North Korea, Russia, Cuba or Venezuela. Note: This is based on the primary headquarters location, not manufacturing location or if the company operates in one of the restricted countries.

 

Items of concern:

  1. The company does not have a formal IT security program.
  2. The company has a history of breaches or compromises.
  3. The company is new to market.
  4. The company is known to cut corners on security.
  5. Product or service requires authentication, but the requirements are weak and/or does not support MFA or SSO.
  6. Product or service does not allow for sensitive data to be restricted to only authorized personnel.
  7. Product or service requires an excessive amount of sensitive information with no data protections.
  8. Product or service does not meet compliance standards.
  9. Product or service does not implement secure transmission or storage of data.
  10. Any additional finding that may suggest the product or service will be a high risk for DSU.

A single item of concern is not likely a cause for a procurement denial; however, a few critical or several small concerns may lead to a deny status.

 

Items that will always be approved from a security perspective:

  1. Product or services required by the SD BOR.
  2. Company has already been approved.
    • Company re-reviews are completed every 2 years.
  3. Product has already been approved.
    • Product re-reviews are completed every 2 years.
  4. Product or service does not connect to DSU networks, transmit a wireless signal, or collect DSU data.