Standard and Process
The following supplements the requirements in the Vendor/Supplier Management Standard published in the University Policy library.
Responsibility for information security
University units or individuals contracting with vendors or service providers which collect, transmit, process, or store University data are responsible for the vendor or service provider complying with information security controls throughout the contract lifecycle; as specified in the University of Minnesota information security standards, including the Software Development Standard, at all security levels. This applies to ‘freeware’ and End User License Agreements as well as paid services (defined in University of Minnesota Information Security policy and standards).
Reasonable assurance of a vendor’s security can most often be obtained through document reviews on a recurring and timely basis, from procurement to the end of the contract. The depth of the initial vendor security review and the frequency of ongoing reviews must be based on:
- compliance with legal, regulatory or contractual requirements,
- the data classification, and
- the security level assigned by the unit.
Expectations of vendor security reviews based on security level
|Security Level||Example data types||Example compliance requirements||Components of initial review||Frequency of ongoing review|
|Low||Course offerings, invoices (w/o SSNs), purchase orders||No legal or contract requirements||- Review vendor documentation
- Search online security registries (recommended registries below, or in consultation with UIS)
- Confirm that vendor accepts UMN data ownership
- Consult UIS
|Periodic review to ensure continuing service levels (at contract renewal or maximum of 3 years)|
|Medium||FERPA data||FERPA||- Review vendor documentation
- Independent third-party attestation, if available
- Involves UIS, UMN Compliance Officers
|Periodic review to ensure continuing security (at contract renewal or maximum of 3 years)|
|High||Regulated data including PHI, PCI DSS, FISMA, other||HIPAA, FISMA, PCI DSS||- Review vendor documentation
- Independent third-party attestation (depending on compliance requirements or availability)
- Involves UIS, UMN Compliance Officers
|Regular review to ensure continuing compliance per regulatory requirement (recommended annually)|
- Contact the Technology Advisory Council (TAC) for guidance on new technologies.
- Use the appropriate UMN vendor/supplier questionnaire:
- There are 2 versions of the questionnaire:
- Each questionnaire includes a limited set of screening questions for any security level and a longer set of questions for finalists. RFPs require inclusion of relevant questions from the UMN vendor/supplier questionnaire, but units can also use the questionnaire as a standard method to collect security information from non-RFP vendors.
- Contact UIS if you need assistance in evaluating the vendor’s responses.
- Retain contract and due diligence records for the duration of the relationship with the vendor.
- Procurement: TAC, Software/hardware questionnaire, Professional IT services questionnaire, gap analysis, NS’s cloud worksheet
- Other UMN Policies: Purchasing Goods and Services, Entering Into Contracts, Accessibility of Information Technology Policy
Contact University Purchasing Services for guidance on new or renewing contracts. The University’s Entering Into Contracts policy provides information on entering into a contract with a vendor, including when a subject matter expert (SME) consult is required with University Information Security and other SMEs.
All contracts for IT services should include confidentiality clauses that protect proprietary information or private data on behalf of the University.
There are multiple ways in which vendors may demonstrate that they have adequate security measures in place. All those listed below are acceptable to the University.
- Major vendors may have current certifications or attestations, including:
- SSAE18/SysTrust SOC 2 type II
- ISO 27001
- PCI DSS (SAQ or ROC)
- Cloud Security Alliance STAR certification
- Vendors not operating with regulated data or smaller vendors may be:
- Listed on online security registries, e.g.
- Willing to complete self-attestations, e.g.
- UMN vendor/supplier questionnaire for Software/hardware
- UMN Professional IT services questionnaire
- Cloud Security Alliance (CSA) self assessment (CAIQ)
- Shared Assessments Standardized Information Gathering (SIG)
- Higher Education Community Vendor Assessment Tool (HECVAT)
- Big Ten Academic Alliance vendor questionnaire
- This standard is based on the principles of ISO/IEC 27002-2013.
- Practices for the Information Security Policy
- Technology Portfolio