Go to navigation Go to content

Security Requirements for Information Technology Purchases

As part of the selection process Respondents must demonstrate compliance with the security criteria listed in the categories stated on the accompanying University of Missouri Information Security Requirements spreadsheet by responding in writing to every statement and question. It is the Respondent's responsibility to supply sufficient and complete information for a full evaluation of all items in this section, including detailed explanations. Validation of the answers provided by the Respondent may be conducted during the review/assessment process. Any erroneous information could limit the Respondent's ability to finalize implementation of the proposed solution. Please include any security white papers, technical documents, or policies that are applicable. Failure to provide the necessary information to meet the requirements in this section could lead to disqualification.

The University considers security to be an ongoing responsibility and as a result, these information security criteria are subject to additions and changes without warning. When appropriate, the successful vendor will be expected to work in good faith with the University to maintain compliance with new laws and regulations and/or to improve the security of the proposed system.

Data Classification System

Vendors are expected to maintain an awareness of the laws and regulations applicable to the use of the proposed solution in a University environment. The University of Missouri reserves the right to periodically audit the hardware and/or software infrastructure to ensure compliance with industry best practices as well as the requirements of the University's Data Classification System. When applicable, the University of Missouri requires compliance with the Family Educational Rights and Privacy Act (Click here to print the FERPA Addendum Agreement), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry (PCI) specifications and all other applicable state, local and federal laws and regulations.

In order to apply security measures in the most appropriate and cost effective manner, data stored electronically must be evaluated and assigned a Data Classification Level (DCL) of 1, 2, 3, or 4. The DCL of the data establishes the extent and type of information security measures that must be implemented and the security requirements set forth are high level requirements that establish the minimum standards necessary for each DCL. Definitions of the DCLs are available. A post award technical review and assessment is required for all DCL3 and DCL4 system/application implementations. All reviews/assessments shall be prescheduled with the vendor and assessment results will be provided to the departmental representative and to the vendor.

Compensating Controls & Descriptions

All statements and questions on the spreadsheet are mandatory unless they are not applicable. The Respondent must clearly explain why a given question is not applicable. For all other questions, if a requirement cannot be met, the Respondent still has an opportunity to meet the requirement by the use of compensating controls. In some instances, the University has requested that the Respondent provide a description to accompany their response to a particular statement or question. Descriptions are requested when a "Meets or Exceeds" answer alone could be deceptive without further detail. Compensating controls must be described in full in the appropriate column. When more room is needed to fully explain the compensating control or provide a complete description, attachments can be included in the proposal response so long as such attachments are labeled and cross-referenced in the "Comments, Descriptions or Explanations of Compensating Controls" column. In such circumstances, the vendor must provide a full explanation of the compensating control including an explanation of how the control meets the intent of the original question. The University has the sole right to determine if a proposed compensating control is an acceptable solution and if the details provided describe a solution that truly meets or exceeds the University's needs.

Reviewed July 13, 2017.