Information Security Questions for Contract Review
The following questions will assist units or individuals to review IT contracts or licenses, so that information security and risks are considered in advance rather than ‘after the fact’ especially for activities involving Private-Highly Restricted or Private-Restricted data. See the Vendor/Supplier Managment standard in the Information Security Policy.
Review by compliance officers and/or University Information Security (UIS)
Additional review by University compliance officers is required for some data classifications or services:
Arrangements with vendors relating to PHI must be reviewed by the Chief Health Information Compliance Officer (email@example.com).
Payment cards (e.g., credit or debit cards) must be reviewed by the PCI DSS Compliance Analyst (firstname.lastname@example.org).
- FERPA protected student data must be reviewed by Stacey Tidball (email@example.com).
If the vendor can access Private data, or a service is mission-critical, the vendor’s data security must be reviewed by University Information Security (firstname.lastname@example.org).
For more information, see the Entering Into Contracts Policy Review by Subject Matter Experts.
The questions below are organized in a similar way to many information technology contracts. Many are related to off-site or ‘cloud’ services, but may also apply to software running on University owned hardware ('on-premise').
|Compliance||Does the vendor agree to maintain compliance with an industry standard or government regulation (e.g. HIPAA, FERPA, FISMA, PCI DSS)?||Yes|
|Compliance||Will the vendor create, receive, maintain, or transmit Protected Health Information (PH)I? If yes, contact the Chief Health Information Privacy Officer at email@example.com for assistance.||Yes|
Will the vendor receive, maintain, or transmit credit card and/or debit card information?
Will the vendor provide services that control or could impact the security of credit card and/or debit card information? If yes, contact the Payment Card Program at firstname.lastname@example.org for assistance.
|Independent Assessment||Does the vendor offer to provide a current third-party attestation of information security controls (such as SSAE 16/SOC II, PCI DSS AOC) for themselves and any sub-contractors on a regular (usually annual) basis?||Yes|
|Termination||Does the vendor allow UMN to review or audit data destruction process real-time as well as afterwards?||Yes|
|Right to Assess/Audit||Does the vendor agree to respond and cooperate during an information security investigation/assessment, process/record review/audit?||Yes|
|Insurance||Will the vendor add the University as an ‘additional insured’ party to the vendor’s insurance to cover potential breach costs?||Yes|
|Service Levels||Does the vendor specify Service Levels with Service Level Objectives (e.g. 99.9% up time), and scheduled maintenance cycle?||Yes|
|Intellectual Property||Does the contract contain language to protect UMN data or intellectual property to the same level as vendor's own protection?||Yes|
|Information Security Awareness||Does the vendor state that they have an established/documented information security awareness program for their employees and contractors?||Yes|
|Non-disclosure||Does the vendor bind its employees and contractors to non-disclosure of customer data or intellectual property?||Yes|
|Sub-contractors||Does the vendor state that all subcontractors are obligated to comply with the same terms and conditions? This particularly applies to data destruction at termination of contract and notification of information security incidents.||Yes|
|Independent Assessment||Does the vendor agree to independent, third party information security assessments on a regular basis?|
|System Development||Does the vendor agree to adhere to security best practices for system development and maintenance?|
|System Maintenance||Does the vendor agree to maintain current software versions and to patch regularly?||Yes|
|System Maintenance||Does the vendor agree to fix/patch information security deficiencies or bugs in its or subcontractors' service/software in a timely fashion? Contracts frequently use the term 'commercially reasonable'||Yes|
|Notification/Incident Response||Does the contract obligate the vendor to notify customer within 24 hours of major/significant issues? Does the contract define major/significant?||Yes|
|Disaster Recovery||Does the vendor state that they have an established/documented Disaster Recovery process to protect UMN data or operations?||Yes|
|Breach Notification||Does the vendor agree to notify UMN within 48 hours of an information security incident or breach that has likely compromised or involves inappropriate access to UMN data.||Yes|
|Breach Liability||Does the vendor assume liability for costs of investigating, responding/mitigating a information security breach due to failure to conform to the contract's terms.||Yes|
|Indemnification||Does the contract obligate the vendor to indemnify UMN and faculty/staff against legal actions/third party claims, including costs and fees?||Yes|
|Termination||Does the vendor acknowledge responsibility to protect UMN data for itself and subcontractors, continuing after termination of the contract?||Yes|
|Termination||Does the contract state that the termination obligations survive the termination of the agreement?||Yes|
|Termination||Does the vendor agree to expedite return of all UMN data or destroy the data, including backup copies, within a specified time period after termination of agreement? It is reasonable to allow an extended period for destruction of backup data. Will the vendor agree to return the data at the University's request, and the data will be in a commonly readable program?||Yes|
Frequently Asked Questions
Q: Is this the same as a legal contract review?
A: No, University Information Security can interpret technical or business process questions, not advise on contractual language. A review by the Office of General Counsel is covered in the Entering Into Contracts policy.
Q: Are these the only information security issues to consider?
A: No, the list is based on gaps in contract language that University Information Security has noticed recently. Not all questions would apply to all contracts.
Q: How do I score the answers to these questions?
A: These questions are not intended to be scored. They are factors to consider as part of the decision to select a vendor or adopt a technology solution.