The following documents are used by the CSU and CSUMB as part of the IT Procurement Contracting process:
General Provisions-IT
IT-Supplemental Provisions for Acquisitions
Acknowledgement (1.0) - Ensures contract as defined is "protected" and subject to laws and regulations
Sub-Contractor Disclosure (2.0) - Ensures that Contractor holds its subcontractors to the terms to which they have agreed
Incident Response Plan (3.0) - Develop or maintain a Information Security Plan adequate to protect the CSU data
PCI Compliance (5.0) - Does the software store, process or transmit payment card data?
PCI-DSS Requirements (5.1) - Payment Card Industry Data Security Standards
PA-DSS Requirements (5.2) - Payment Application Data Security Standards
NACH Requirements (5.3) - Contractor comply with NACHA requirements.
HIPAA Requirements (5.4) - Contractor must comply with Health Insurance Portability and Accountability Act (HIPAA) requirements
Risk Management - Personnel Security (6.0) - Contractor (et al) is required to maintain security and privacy of CSU Information assets.
Record Retention (optional) (7.0) - must comply with applicable Record Retention requirements
Risk Assessment (8.0) - must comply with applicable Risk Assessment requirements
Return/Destroy Protected Data (9.0) - Contractor must ensure returns or adequately disposes of CSU Protected Data