Information Security Requirements & Policies for Procurement Compliance Review (PCR)

The acquisition of Information and Communication Technology (ICT) at ºÚÁÏÍø is subject to the information security review process, which is guided by the following documents and CSU policies.

Documents Requested for Procurement Compliance Review (PCR)

A. Minimum Requirement for All CSU Purchases

  • HECVAT (Higher Education Community Vendor Assessment Toolkit)
    A standardized self-assessment questionnaire used by colleges and universities to evaluate the information security and data protection practices of third-party vendors.

B. Highly Desirable Security Certifications/Documents

  1. ISO/IEC 27001
    International standard for Information Security Management Systems (ISMS), providing a framework for managing and protecting sensitive information.
  2. HITRUST Certification
    A cybersecurity and compliance certification based on the HITRUST CSF®, commonly used in healthcare, finance, and government sectors to demonstrate data protection and regulatory compliance.
  3. FedRAMP (Federal Risk and Authorization Management Program)
    U.S. government-wide program for standardized security assessment, authorization, and continuous monitoring of cloud services used by federal agencies.
  4. StateRAMP / GovRAMP
    Modeled after FedRAMP, this framework helps state and local governments assess and authorize cloud service providers (CSPs) for handling sensitive data.
  5. TX-RAMP Level 2 (Texas Risk and Authorization Management Program)
    A cybersecurity certification framework developed by the Texas DIR for cloud services used by Texas state agencies and public institutions.

C. Alternative Documentation (If Certifications in Section B Are Not Available)

  • SOC 2 Type II Report
    An independent audit report evaluating a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy over time.

D. Minimum Requirement (If No Documents from Sections B or C Are Available)

  • Vulnerability Scan Reports
    Reports identifying and assessing security weaknesses in systems, networks, and applications.

E. Additional Requirements for Payment Processing

  • PCI AOC (Payment Card Industry Attestation of Compliance)
    A formal document certifying compliance with PCI DSS standards for protecting cardholder data during storage, processing, or transmission.

F. Additional Requirements for Health Data Storage

  1. HITRUST Certification (as described in Section B)
  2. Third-Party HIPAA Audit
    Independent audit verifying compliance with HIPAA security and privacy controls.

CSU Policy

Commonly referenced sections of the .