Issue/Question
Overview
The Technology Procurement process includes a security assessment to determine if the hardware, software, or service meets DSU's standards. This article covers some of those considerations that may lead to a purchase being approved or denied.
Environment
Guide
Cause for immediate deny:
Vendor/company's primary headquarters is in China, Iran, North Korea, Russia, Cuba or Venezuela. Note: This is based on the primary headquarters location, not manufacturing location or if the company operates in one of the restricted countries.
Items of concern:
- The company does not have a formal IT security program.
- The company has a history of breaches or compromises.
- The company is new to market.
- The company is known to cut corners on security.
- Product or service requires authentication, but the requirements are weak and/or does not support MFA or SSO.
- Product or service does not allow for sensitive data to be restricted to only authorized personnel.
- Product or service requires an excessive amount of sensitive information with no data protections.
- Product or service does not meet compliance standards.
- Product or service does not implement secure transmission or storage of data.
- Any additional finding that may suggest the product or service will be a high risk for DSU.
A single item of concern is not likely a cause for a procurement denial; however, a few critical or several small concerns may lead to a deny status.
Items that will always be approved from a security perspective:
- Product or services required by the SD BOR.
- Company has already been approved.
- Company re-reviews are completed every 2 years.
- Product has already been approved.
- Product re-reviews are completed every 2 years.
- Product or service does not connect to DSU networks, transmit a wireless signal, or collect DSU data.