Information Security Reviews for Research Projects: A Primer
By: Ray Phillips, Security Risk Analyst (University Information Security)
Are you looking to acquire new technology to meet a teaching or administrative need? Selecting a qualified vendor to provide IT solutions or services can resemble dating! There is a common interest in a relationship of trust, but there may be communication issues and it can take time to resolve expectations. Vendor services and the contracts governing them rarely remain one-and-done due to changes in business requirements, regulations, technology, or company ownership.
Fortunately, faculty or staff who need to engage corporate vendors have resources at the U who can help review initial and ongoing vendor partnerships so that our collaborations avoid foreseeable risks.
- Purchasing Services advises on fair and neutral procurement processes for any contracts with vendors, and manages all Requests for Proposals involving services over $50k.
- The Office of General Counsel (OGC) provides contract templates and reviews all service contracts (regardless of dollar amount) to comply with current statutes and University policy.
- University Information Security (UIS) provides standardized information security questionnaires and can review vendor responses and security documentation for risk analysis and compliance with University standards based on the sensitivity of the service provided. The newly revised Vendor/Supplier Management page explains the components of a vendor security review and includes links to online registries of vendors who have completed security questionnaires and made them publicly available.
- The Technology Advisory Council (TAC) is a forum of technologists who can help evaluate options for new technology.
As you plan to evaluate IT vendors please build in time to consult these resources to maintain comparable levels of service across the University community.