San Diego State University - Leadership Starts Here

Information Technology Security Office (ITSO)

Skip repeated menu and go directly to page content.

Security Checklist: PL2 Data

Click here to download the Protected Level 2 Assessment.

Once the checklist has been completed and emailed to, the following process proceeds:

  • The ISO will review the checklist.
  • The ISO will review any applicable SSL certificate for any SaaS URL Address provided in Step 1 of the checklist.
  • The manager must request that the vendor complete the PL2 Security Assessment. Submit the assessment to the vendor, with these guidelines:
    • The vendor will need technical support to complete the survey.
    • Note: At the manager's discretion, a meeting may be scheduled with the ISO, the manager, and the vendor's technical support to walk through any and all of the assessment items.
    • On every row of the assessment, fill in one of the Yes, No, NA columns with an X.
    • It is very important that the vendor use the Notes column for all No and N/A answers. For example, the vendor might answer No for a control, but note that it is planned in the next release. Or, the vendor may state N/A for an item and in the notes state that they offer the control but SDSU has elected not to include it in the contract.
    • Some items reference physical security or server management. If the vendor uses IaaS (house your servers in a hosted datacenter) and/or PaaS (hosted server), then they must indicate how their provider complies with the control item. For example, if the vendor uses Amazon Web Services, then reference AWS security documents to complete the assessment answer. Vendors must not answer N/A for the areas managed by their subcontractors as SDSU would need to know how their subcontractors are addressing that item. Vendor must only answer N/A for areas outside of the services they provide to SDSU or not included in the SDSU contract.
    • Noncompliant items may not necessarily result in an impact to the contract. Some risks are acceptable, some can be negotiated for future mitigation.
  • The ISO will review the security assessment and discuss any concerns with the manager.
  • The manager will follow up with the vendor to address all concerns.
  • Once all concerns are addressed, the ISO will email the signed security checklist to the manager.
  • The manager will provide the signed checklist to the appropriate Buyer in Contracts and Procurement Management.

Note: documents in Excel format (XLS) require Microsoft Viewer, Download Excel