Purchasing & IT Security Originally Presented at Fall ACCBO
Background During the 2016 Fall ACCBO Conference, all subject matter related to the Procurement side of this discussion was presented by Clarence Rogers, Associate Director, Procurement Services, from the System Office. Clarence was unable to attend IIPS for this presentation. 1/14/2019
Background The intent of this presentation to the Business Officers/ACCBO was to encourage IT participation throughout the purchasing process for all IT contracts and initiatives. 1/14/2019
Why the Change? Recent changes in Session Law and the contract approval process with DIT now require Purchasing and IT Security to partner together to be successful. This discussion will put some of the pieces together of how the new process works and about the evolving requirements for managing IT Contracts. 1/14/2019
IT Contracts The State CIO shall provide a report of all contract awards approved through the Statewide Procurement Office. The report shall include the amount of the award, the contract term, the awarded vendor, the using agency, and a short description of the nature of the award. 1/14/2019
Exception Requests Complete required Exception Request Forms Sourcing Contract beyond 3 years Limited Waiver (Brand Specific) Waiver (Sole Source) Use of Another Agency Contract/Cooperative Agreement Standards Hosting Data Center Other Security 1/14/2019
Purchasing The role of procurement services is to create an effective work flow process and issue binding agreements. Clarence or Sharon will facilitate 1/14/2019
Exception Requests Early engagement and partnership between business owners, IT, procurement, and your other internal agency stakeholders is key when defining your submission. 1/14/2019
Purchasing The submittal of a requisition after the Business Owner has identified the need is the key to begin the procurement process. 1/14/2019
Purchasing The SOW is the most important section of the document. 1/14/2019
Purchasing Procurement Office submits solicitation documents (RFQ, IFB, RFP, RFI) and Exception Request to DIT for review and approval to post or issue RFQ to vendor, if waiver of competition. Clarence or Sharon 1/14/2019
Purchasing Procurement Office will issue purchase order. Clarence or Sharon 1/14/2019
IT Security 1/14/2019
IT Standards & IT Security Exception Request Reviews Contracts for IT products and services requires the Contract Admin to partner with IT Security and the vendor for success. Contact Administrator Responsibilities w/ IT Security Support Completion of required DIT documentation and forms for the Exception Request Collection of vendor IT security compliance reports and artifacts Annual requirement to recertify IT security compliance 1/14/2019
IT Standards & IT Security Exception Request Reviews What are the Standards for IT Contracts? IT Standards: North Carolina General Statutes 147, Article 3D Session Law 2015-241 and amended in S.L. 2016-94 Security Deviation: Statewide Information Security Manual (ISO27001, soon to be NIST) Federal Standards, Policies, Laws: FERPA, HIIPA, PCI-DSS, GLBA, FISMA 1/14/2019
IT Standards & IT Security Exception Request Reviews Conditions that require an Exception Request $0 threshold for IT Contracts needing an Exception Request Session Law 2015-241, Section 7.9.(b) State agencies shall use the State infrastructure to host their projects, services, data, and applications, except that the State Chief Information Officer may grant an exception if the State agency demonstrates any of the following: (1) Using an outside contractor would be more cost effective for the State. (2) The Department of Information Technology does not have the technical capabilities required to host the application. Valid security requirements preclude the use of State infrastructure, and a vendor can provide a more secure environment. Session Law 2016-94 amended 7.9.(b) to add: With the prior approval of the State Chief Information Officer, applications that are natively or commercially sold and delivered as cloud‑based solutions are not subject to the requirements of this subsection Deviation from the Statewide Information Security Manual 1/14/2019
IT Standards & IT Security Exception Request Reviews Forms required to address IT Security for DIT Exception Requests DIT Exception Request Forms Always download the latest form from http://it.nc.gov/document/exception-request-forms Exception - Form B: Standards DIT Privacy Threshold Analysis (PTA) Form http://it.nc.gov/document/privacy-threshold-analysis-pta-form Security Statement by the Agency Security Liaison. (me!) 1/14/2019
IT Standards & IT Security Exception Request Reviews Vendor Documentation and Artifacts This list will vary based on the type of data, transmission, and storage of the data. Cloud can be SaaS, IaaS or PaaS. Cloud based services (not hosted at DIT or on State Infrastructure) Must provide evidence of a major IT Security Compliance assessment SOC 2 Type 2 SSAE 16 ISO 27001 Certification FedRAMP A credentialed vulnerability scan Must be Open Vulnerability Assessment Language (OVAL) compliant Support CVE reporting for identification of Critical, High, Medium and Low vulnerabilities Other documentation regarding data flow, security protocols and review process as identified or requested. 1/14/2019
IT Standards & IT Security Exception Request Reviews Most importantly…. This is a new and evolving requirement! 1/14/2019
Touchdown System Temporary endeavor Has a start and end date Applies to the System Office and provided here for information All Information Technology (IT) projects must be tracked in the DIT Touchdown system. IT project defined: Temporary endeavor Has a start and end date Results in an IT product, system or service being implemented or delivered There are no dollar thresholds All IT RFPs must be tracked in the DIT Touchdown system. Includes: Project charter approvals, System Office and State Level Presentation to the Executive Leadership Council Additional reviews/approvals at the State level including RFP review and Contract Award decision points All IT RFIs must be entered in the Touchdown system and in the Business Concept phase. 1/14/2019
Roles and Responsibilities of Contract/Business Owner Contract or Business Owner: The VP of the Division of the System Office seeking the goods or services provided under the contract. Role: The VP is the person who has the authority to sign the contract. Responsibilities: The VP would assign people within his/her division to draft the scope of work, obtain the financial information and obtain other information necessary for a draft agreement or submission to Procurement Services. Applies to the System Office and provided here for information 1/14/2019
Roles and Responsibilities of Contract Administrator Contract Administrator: Usually the person who is the project Team leader assigned by the Division VP to submit the contract and other necessary documents to Procurement Services. Roles: This person is the contact person for Procurement Services, Finance and Operations and Legal Affairs for ensuring that changes to the draft are reviewed by the project team. Responsibilities: This person should be aware of the start and end dates of a contract and the technical terms and requirements of the contract. Applies to the System Office and provided here for information 1/14/2019
Q&A 1/14/2019