I'm trying to pull together a list due to a negative
experience (imagine that). This is the start.
1) Your university privacy statements and your web privacy
statements need to indicate that data may be transferred to
a third party. For example, if you outsource giving or
applications, there needs to be an indication of this in
your privacy statement.
2) Make sure you write your contract with strict measurable
statements; much of what follows should be written in your
3) The web server and database server must be separate
servers. This may be obvious technically, but don't assume
your vendor will implement accordingly. Establish the
guidelines for your standards of systems security, including
access controls and physical access.
4) Specifically state what OS and database software are
acceptable to you. If this were developed in your shop, you
would carefully choose these tools, and the security of the
tools would be part of the discussion. State that the OS
and database will not change without your prior written
5) All subcontractors must be agreed to in writing by you
prior to your vendor entering into the contract.
Appropriate risk management guidelines (levels of insurance
liability) must cover all vendors and sub-contractors.
6) Specifically state your security requirements. For data
transmission, is SFTP required? Do you require a
certificate / SSL on the website? A validated certificate
or self-signed (think about the naming on the certificate).
7) Write up how any accidental or unintentional data
exposures will be handled (do you want them to handle
8) If data entry is involved, who sets the data entry
standards and how will data accuracy be measured?
9) Have specific measures of success: web site uptime,
website to database connectivity uptime, database uptime,
data entered on the site will be processed within x amount
of time, etc.
10) Who controls the web site design. Who controls links
from the site. Will your copyrights and graphics be involved
and how will they be protected. How will sub-urls (to the
slash) be handled, 404 page errors, etc., be handled.
11) If the overall process does not "work" how will you
transition. What data/design/information returns to you and
how can you use it. A job applicant site should collect job
applications; a giving site should collect donations; an
admissions site should collect and process student
admissions. If your volume "drops" or is unacceptable - the
business "doesn't work" what is your exit strategy.
That's a start.
---- Original message ----
>Date: Mon, 11 Apr 2005 16:24:03 -0500
>From: Dave Netz <[log in to unmask]>
>Subject: [CIO] Hosted Services Guidelines
>To: [log in to unmask]
> Do any of you have a set of criteria that you use
> when working with hosted service vendors? I have
> not checked the Educause web site yet, but if you
> have developed either a set of questions or an RFP
> for hosted services, that would be very helpful.
> This is primarily to do with remote data storage,
> and perhaps also web services.
> Thanks for your assistance.
> David J. Netz
> Vice President for Information Services
> Dordt College
> Sioux Center, IA 51250
> [log in to unmask]
> ********** Participation and subscription
> information for this EDUCAUSE Constituent Group
> discussion list can be found at
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.