Conducting Information Security Reviews of Vendors

Shared Responsibility for Information Security

Vendors or service providers that collect, transmit, process, or store University data must comply with required information security controls throughout the contract lifecycle. Responsibility for securing University data is shared between the vendor, who is also responsible for sub-vendors or third parties if any, and unit leadership who is responsible for ensuring vendor compliance through regular active due diligence. 

The required controls are specified for each security level of service in the University of Minnesota information security standards (including the Software Development Standard). Compliance with security controls applies to ‘freeware’ and End User License Agreements as well as paid services.

Key Criteria for Vendor Security Reviews

The depth of the initial vendor security review and the frequency of ongoing reviews must be based on:

High/Medium Security: Participate in a Joint Security Review with UIS

Medium security services must be reviewed periodically to ensure continuing security (at contract renewal or maximum of 3 years). High security services must have regular review to ensure continuing compliance per regulatory requirement (recommended annually). UIS is available to assist and provide a University-level risk perspective.

Expand all

Confirm Regulatory Compliance Requirements

The following areas are classified as High security level by default:

  • If your unit is part of a Health Care Component, contact [email protected], or your unit Purchasing staff who will involve the Health Information Privacy Compliance Office, which may direct you to follow the High or Medium security review process.
  • If credit card transactions are involved, contact [email protected].

All other Low security level services must follow the below security review process.

Initial Review: Procurement Phase

It is recommended that units follow these steps to conduct an initial security review of a new vendor/service (below the RFP threshold).

  1. Review the vendor website for any information regarding security or privacy. This applies to any vendor service, including no-cost’, ‘click-through’ agreements or apps.
  2. Use the Cloud Security Worksheet if appropriate, or consult unit IT or OIT when considering new technologies.  
  3. Request that the vendor provide a current copy of one of the required security documents (see Security Documents section below for specifics).
  4. Review the vendor security document(s). Use the SOC Review Form as needed. Contact UIS if you need assistance in evaluating vendor responses--allow 2 to 4 weeks to complete the security review.
  5. Retain the vendor contract and security review records for the duration of the relationship with the vendor.

Security Documents

Independent Attestation Industry Self-Attestation UMN Self-Attestation

SSAE18/SysTrust SOC 2 type II

HITRUST

ISO 27001

PCI DSS (SAQ or ROC)

Cloud Security Alliance STAR certification

NIST-FISMA

Cloud Security Alliance (CSA) self assessment (CAIQ)

Shared Assessments Standardized Information Gathering (SIG)

Higher Education Community Vendor Assessment Tool (HECVAT)

Big Ten Academic Alliance vendor questionnaire

Software/Hardware

OR

IT Professional Services, not including software/hardware delivery Note: If comparing multiple Low security vendors, the screening questions on tab 2 are sufficient. If conducting an optional deeper review, request that the vendor respond to the finalist questions on tab 3.

Ongoing Review: Mid-Contract Phase

It is recommended that units follow these steps to conduct a periodic review to confirm that the security controls required at the initial review remain in place:

  1. Review the vendor website for any updated information regarding security or privacy. This applies to any vendor service, including no-cost’, ‘click-through’ agreements or apps.
  2. Search online security registries for the vendor(s) 
  3. Request that the vendor(s) provide a current copy of one of the required security documents (see Security Documents section below for specifics).
  4. Review the current version for changes.
  5. Consult UIS as needed.

Security Documents

Independent Attestation Industry Self-Attestation UMN Self-Attestation

SSAE18/SysTrust SOC 2 type II

HITRUST

ISO 27001

Cloud Security Alliance STAR certification

Cloud Security Alliance (CSA) self assessment (CAIQ)

Shared Assessments Standardized Information Gathering (SIG)

Higher Education Community Vendor Assessment Tool (HECVAT)

Big Ten Academic Alliance vendor questionnaire

Written acknowledgement that security controls are in place equivalent to the initial review including for sub-vendors or third parties, if any.

Termination of Contract

It is recommended that units notify the vendor as early as possible that they are required upon the termination of the contract to: 

  • Return all University data in an agreed format
  • Securely delete all copies of University data, including from backups or sub-vendor/third party systems

Low Security: Conduct a Unit Review

For Low security level services, units are not required to request that a vendor provide attestations of their security controls (see steps 3 and 4 below), but it is recommended, particularly if there are multiple sub-vendors or third parties involved. A variety of acceptable attestation formats are available. 

Low security services must be reviewed periodically to ensure continuing service levels (at contract renewal or maximum of 3 years). Consult UIS as needed on data classification or security level.

Expand all

Confirm Regulatory Compliance Requirements

Compliance reviews by Subject Matter Experts are required for the following areas:

  • If your unit is part of a Health Care Component, contact [email protected], or your unit Purchasing staff who will involve the Health Information Privacy Compliance Office, which may direct you to follow this security review process.
  • If credit card transactions are involved, contact [email protected].

All other Medium or High security level services must follow the below security review process.

Initial Review: Procurement Phase

 

  1. Contact UIS as early as possible to request a security review and discuss the level of documentation required. Allow 2 to 4 weeks to complete the security review. A security review is automatically requested by Purchasing for RFPs. 
  2. Request that the vendor(s) provide a current copy of one of the required security documents (see Security Documents section below for specifics).
    • UIS will:
      • Review the vendor website for any information regarding security or privacy. 
      • Search online security registries for the vendor (and any third parties if known)
      • Evaluate the vendor responses and summarize any risks identified to the unit
      • Consult on risk treatment decisions, requesting vendor security enhancements or join discussions with vendors as needed.
  3. Retain the vendor contract and security review records for the duration of the relationship with the vendor.

Security Documents

A Current Independent Attestation A Current Self-Attestation UMN Self-Attestation

SSAE18/SysTrust SOC 2 type II

HITRUST

ISO 27001

Cloud Security Alliance STAR certification

NIST-FISMA

Cloud Security Alliance (CSA) self assessment (CAIQ)

Shared Assessments Standardized Information Gathering (SIG)

Higher Education Community Vendor Assessment Tool (HECVAT)

Big Ten Academic Alliance vendor questionnaire

Software/Hardware

IT Professional Services, i.e. not including software/hardware delivery

Ongoing Review: Mid-Contract Phase

  1. Follow these steps to conduct a periodic review to confirm that the security controls required at the initial review remain in place.
  2. Request the vendor(s) provide a current copy of the security document that they provided for the Procurement phase.
  3. Contact UIS as early as possible to request a security review and discuss the level of documentation required. Allow 2 to 4 weeks to complete the security review.
    • UIS will:
      • Review the vendor website for any information regarding security or privacy. 
      • Search online security registries for the vendor (and any third parties if known)
      • Review the vendor response and summarize any changes or risks identified.
      • Consult on risk treatment decisions, requesting vendor security enhancements or join discussions with vendors as needed.
  4. Retain the vendor contract and due diligence records for the duration of the relationship with the vendor.

Termination of Contract

It is recommended that units notify the vendor as early as possible that they are required upon the termination of the contract to: 

  • Return all University data in an agreed format
  • Securely delete all copies of University data, including from backups or sub-vendor/third-party systems

University Policies

This page supplements the requirements in the Vendor/Supplier Management Standard published in the University Policy library. This standard is based on the principles of ISO/IEC 27002-2013.

Other Related University Policies

More Information