Standard and Process

The following supplements the requirements in the Vendor/Supplier Management Standard published in the University Policy library.

Responsibility for information security

University units or individuals contracting with vendors or service providers which collect, transmit, process, or store University data are responsible for the vendor or service provider complying with information security controls throughout the contract lifecycle; as specified in the University of Minnesota information security standards, including the Software Development Standard, at all security levels. This applies to ‘freeware’ and End User License Agreements as well as paid services (defined in University of Minnesota Information Security policy and standards).

Reasonable assurance of a vendor’s security can most often be obtained through document reviews on a recurring and timely basis, from procurement to the end of the contract. The depth of the initial vendor security review and the frequency of ongoing reviews must be based on:

Expectations of vendor security reviews based on security level

Security Level Example data types Example compliance requirements Components of initial review Frequency of ongoing review
Low Course offerings, invoices (w/o SSNs), purchase orders No legal or contract requirements - Review vendor documentation
- Search online security registries (recommended registries below, or in consultation with UIS)
- Confirm that vendor accepts UMN data ownership
- Consult UIS
Periodic review to ensure continuing service levels (at contract renewal or maximum of 3 years)
Medium FERPA data FERPA - Review vendor documentation
- Independent third-party attestation, if available
- Involves UIS, UMN Compliance Officers
Periodic review to ensure continuing security (at contract renewal or maximum of 3 years)
High Regulated data including PHI, PCI DSS, FISMA, other HIPAA, FISMA, PCI DSS - Review vendor documentation
- Independent third-party attestation (depending on compliance requirements or availability)
- Involves UIS, UMN Compliance Officers
Regular review to ensure continuing compliance per regulatory requirement (recommended annually)

Procurement phase

  1. Contact the Technology Advisory Council (TAC) for guidance on new technologies.
  2. Use the appropriate UMN vendor/supplier questionnaire:
    1. There are 2 versions of the questionnaire:
      1. Software/hardware
      2. Professional services, i.e. not including software/hardware delivery
    2. Each questionnaire includes a limited set of screening questions for any security level and a longer set of questions for finalists. RFPs require inclusion of relevant questions from the UMN vendor/supplier questionnaire, but units can also use the questionnaire as a standard method to collect security information from non-RFP vendors.
  1. Contact UIS if you need assistance in evaluating the vendor’s responses.
  2. Retain contract and due diligence records for the duration of the relationship with the vendor.

Resources

Contracts

Contact University Purchasing Services for guidance on new or renewing contracts. The University’s Entering Into Contracts policy provides information on entering into a contract with a vendor, including when a subject matter expert (SME) consult is required with University Information Security and other SMEs.  

All contracts for IT services should include confidentiality clauses that protect proprietary information or private data on behalf of the University.

Resources

Vendor/supplier documentation

There are multiple ways in which vendors may demonstrate that they have adequate security measures in place. All those listed below are acceptable to the University.

  • Major vendors may have current certifications or attestations, including:
    • SSAE18/SysTrust SOC 2 type II
    • HITRUST
    • ISO 27001
    • PCI DSS (SAQ or ROC)
    • Cloud Security Alliance STAR certification
    • NIST-FISMA
  • Vendors not operating with regulated data or smaller vendors may be:

More information

Contact Us

Document Management

Document Responsibility and History
Document Owner Document Approvers Effective Date Last Reviewed Date
University Information Security

Brian Dahlin,
Chief Information Security Officer

Bernard Gulachek,
VP of Information Technology and Chief Information Officer

August 2010 May 2019