Minimum Security Requirements

UT System Information Security Requirements

  1. Multi-factor Authentication (MFA or two-factor authentication [2FA]), as defined by NIST SP 800-63, must be applied to system and application Administrators and users with elevated privileges who access defined UT System Confidential data.
  2. Contractor must use encryption standards approved by UT System as defined in NIST SP 800-175B Rev. 1 for confidential data at rest, in motion, during processing, and for UT System mobile applications, websites, and portals.
  3. Required by Section 2054.517 of the Texas Government Code and defined in UTS 165 Standard 11.8. Before deploying an Internet website (or portal) and mobile applications that process UT System confidential information, the developer or third-party responsible for development must:
    1. Submit the following documentation
      1. the architecture[i] of the website and mobile applications;
      2. the authentication mechanism(s) for the website and applications;
      3. the Administrator level access to data included in or accessed by the website and applications;
    2. Subject the website, portal and applications to a vulnerability and penetration test as described[ii]; this test must be repeated every year during the contract period.
    3. Utilize approved access and authentication mechanisms[iii].
    4. Apply two-factor authentication (2FA, also known as Multi-factor Authentication-MFA) for Administrative or privileged user access.
  4. If the Contractor is providing a cloud-based service, the State of Texas requires certification of TX-RAMP status. See SB 475 for specific language. UT System will work with the Contractor to request a provisional certification for a short period if certain criteria are met.
  5. If Contractor is responsible for credit card processing, the current version of PCI-DSS requirements must be met.

 

Additional Requirements:

  • UT System is required to conduct annual security risk assessments and the UT Information Security staff will request updated information from the contractor each year. Information may include, but not limited to: certification and audit reports, vulnerability scans, updated policies, and the like.
  • RFP finalists must be prepared to have appropriate technical security and privacy experts available to address responses in a separate presentation session for UT System.
 

[i] Website architecture. A diagram and narrative of website logical structure, data flow, and design of the technical, security, functional, and visual components.

[ii] Penetration and vulnerability test. Contractor may choose to either allow UT System to conduct a vulnerability scan on a test environment that mirrors the actual production environment or provide an attestation of a third-party vulnerability assessment. Review and acceptance of the findings shall comply with UTS 165 Standard 10.8.

[iii] Approved access and authentication mechanisms. Reference NIST 800-53B and UTS 165 Standard 4: Access Management for approved standards. A unique identifier that does not include the individual’s social security number, in full or part per UTS 165 Standard 13: Use and Protection of Social Security Numbers.