The URL can be used to link to this page

Home My WebLink AboutF05.0 Outsourced Application �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT: OUTSOURCED SECTION: F NUMBER: 5.0 APPLICATION PREPARED BY: Information Technology REVISED DATE: 02/01/2014 PAGE: 1 of 2 PURPOSE 5.1 The purpose of the Outsourced Application policy is to describe information security requirements for third-party IT service organizations that engage with the City of Grapevine. A third-party IT service organization is defined as a technology that manages and delivers application capabilities to multiple entities from a data center across a wide area network (WAN) or the Internet, such as application service providers (ASPs), hosting service organizations (HSSOs), and software as a service (SAAS). This policy applies to any use of third-party IT service organizations by the City, independent of where hosted. POLICY 5.2 REQUIREMENTS OF PROJECT-REQUESTING DEPARTMENT/DIVISION 5.2.1 The project requesting department/division must first contact the IT director for assistance in planning any third party outsourcing arrangement. IT works closely with the requesting department/division to make sure the arrangement meets City qualifications. Further in the process all contractual agreements must be reviewed by IT and the City attorney. Some of the things that will be considered during this engagement process are: 5.2.1.1 The information to be hosted by an ASP must not be considered sensitive data. Data that is never appropriate to outsource includes Payroll, Personnel, and Police records. HIPPA records can be outsourced only if all data transfers are encrypted and the organization meets the Cities security requirements. See Section F Number 12.0— Mobile Computing & Storage Devises. 5.2.1.2 If the ASP provides confidential information to the City, the project requesting department/division is responsible for ensuring that any obligations of confidentiality are satisfied. This includes information contained in the ASP's application. �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT: OUTSOURCED SECTION: F NUMBER: 5.0 APPLICATION PREPARED BY: Information Technology REVISED DATE: 02/01/2014 PAGE: 2 of 2 5.3 REQUIREMENTS OF THE APPLICATION SERVICE PROVIDER 5.3.1 The Application Service Provider must show documentation of compliance with one of the following standards: o SAS70 o SSAE16 o ISO 27001 5.3.2 A vendor is to provide conversion methodology, programming, and implementation with City employee and IT assistance. 5.3.3 An application and Data Escrow Arrangement that the City IT Director and City Attorney agree to must be in place. 5.3.4 An exit plan that the City IT Director and City Attorney agree to must be stated in the contract.