Standard and Process
See the specific requirements in the Vendor/Supplier Management Standard published in the University Policy library. The following supplements the requirements in University policy.
Vendors/Suppliers who collect, transmit, process, or store University data are required to adhere to the University’s Information Security Policy, laws, and contractual agreements for the type of data entrusted to them.
Certain types of data require the University to comply with external mandates. Such mandates include, but are not limited to:
- Federal Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Standards Supporting Documents (PCI)
- Federal Information Security Management Act (FISMA)
Individuals or units are responsible for ensuring that vendor/supplier IT services that collect, transmit, process, or store University data meet information security controls from procurement through the termination of services.
Units need to work with the vendor/supplier to follow the University Information Security Policy and Standards. This includes:
- reviewing the Information Security Policy and Standards and determining which apply to your purchase,
- communicating with the vendor/supplier regarding applicable required information security controls,
- obtaining from the vendor/supplier confirmation that they comply.
Purchasing- Include Information Security Questions
The University Purchasing Goods and Services policy provides information on purchasing and when a Request for Proposal (RFP) is required.
Prior to the purchase, review the suggested list of Information Security Questions for Purchasing IT Solutions/Services and include those that are relevant to your purchase. These questions can be used for other purchases that do not require a RFP. If you need help understanding vendor/supplier responses to the information security question or have other information security questions related to purchasing, Request an Information Security Consultation.
Contracts- Include Information Security Questions
The University Entering Into Contracts policy provides information on entering into a contract with a vendor/supplier, including when a subject matter expert (SME) consult is required with University Information Security and other SMEs. For University Information Security, see Request an Information Security Consultation.
The information security related contract questions provides items to consider including in your contract with a vendor/supplier.
Vendor Certifications/Attestations for Information Security
Some purchases or contracts involving University data require an initial and an on-going review of the vendor/supplier certification or attestation of compliance or security controls. See the Vendor/Supplier Management standard. The following are examples of certifications/attestations:
- ISO 27001
- PCI DSS (SAQ or ROC)
- Cloud Security Alliance (CSA) self assessment or CAIQ
- Cloud Security Alliance STAR certification
For your review of the vendor/supplier certification or attestation, you can refer to the SOC/SSAE18 review template for what to review. If you have information security questions, Request an Information Security Consultation.
Units using third party vendors for information system services or custom software development need to ensure that proper controls are in place to satisfy the University’s “due diligence” requirements including but not limited to the following:
- Information security contract language is added to all contracts that provide access to University systems, data, sensitive areas (such as data centers, wiring closets, etc.) or provide custom development on behalf of the University.
- Vendor contracts should include confidentiality clauses that protect proprietary information or private data on behalf of the University.
- Custom software development by third parties of critical systems or systems collecting, transmitting or storing sensitive data need to comply with Secure Application Development guidelines.
See the Information Security policy appendices for additional information security standards that also apply.
- This standard is based on the principles of ISO/IEC 27002-2013
- Practices for the Information Security Policy
- University Policy: Entering Into Contracts
- University Policy: Purchasing Goods and Services
- Information Security RFP Questions
- Evaluate the Information Security Controls of IT Service Providers/Vendors
- Information Security Questions for Contract Review
- SOC/SSAE 18 Review Template
- Technology Portfolio