Use Information Security Questions for Contract Review
The following questions will assist units or individuals to review IT contracts or licenses for both cloud-based/off-site or on-premise/locally hosted IT services. The goal is that information security and risks are considered in advance rather than ‘after the fact’ especially for activities involving Private-Highly Restricted or Private-Restricted data. For more information, see the Vendor/Supplier Management standard in the Information Security Policy.
University Information Security can assist units with interpreting technical or business process questions, rather than advising on contractual language. A contractual language review by the Office of General Counsel is covered in the Entering Into Contracts policy.
The questions below are related to information security and are often used in information technology contracts:
- The list is based on information security related gaps found during previous contract reviews by University Information Security. This is not an all inclusive list of information security questions to consider in your contract review.
- The questions are not intended to be scored. They are factors to consider as part of the decision to select a vendor or adopt a technology solution.
- Not all questions apply to all contracts.
Does the vendor agree to maintain compliance with an industry standard or government regulation (e.g. HIPAA, FERPA, FISMA, PCI DSS)?
Will the vendor create, receive, maintain, or transmit Protected Health Information (PHI)? If yes, contact the Chief Health Information Privacy Officer at [email protected] for assistance.
Will the vendor receive, maintain, or transmit credit card and/or debit card information?
Will the vendor provide services that control or could impact the security of credit card and/or debit card information? If yes, contact the Payment Card Program at [email protected] for assistance.
Does the vendor offer to provide a current third-party/independent attestation of information security controls (e.g. SSAE 18, PCI DSS, AOC), or a self attestation (e.g. HECVAT, CSA CAIQ) for themselves and any sub-contractors on a regular (usually annual) basis?
Does the vendor agree to respond and cooperate during an information security investigation/assessment, process/record review/audit?
Will the vendor add the University as an ‘additional insured’ party to the vendor’s insurance to cover potential breach costs? The standard insurance indemnification clause in University contracts is for a $10M indemnity.
Does the contract obligate the vendor to indemnify UMN and faculty/staff against legal actions/third party claims, including costs and fees?
Does the vendor assume liability for costs of investigating, responding/mitigating an information security breach due to failure to conform to the contract's terms?
|Service Levels||Does the vendor specify Service Levels with Service Level Objectives (e.g. 99.9% up time), and scheduled maintenance cycle?|
|Disaster Recovery||Does the vendor state that they have an established/documented Disaster Recovery process to protect UMN data or operations?|
|Intellectual Property||Does the contract contain language to protect UMN data or intellectual property to the same level as vendor's own protection?|
|Information Security Awareness||Does the vendor state that they have an established/documented information security awareness program for their employees and contractors?|
|Does the vendor bind its employees and contractors to non-disclosure of customer data or intellectual property?|
|Sub-contractors||Does the vendor state that all sub-contractors are obligated to comply with the same terms and conditions? This particularly applies to data destruction at termination of contract and notification of information security incidents.|
|Does the vendor agree to adhere to security best practices for system development and maintenance?|
Does the vendor agree to maintain current software versions and to patch regularly?
Does the vendor agree to fix/patch information security deficiencies or bugs in its or subcontractors' service/software in a timely fashion? Contracts frequently use the term 'commercially reasonable.'
Does the contract obligate the vendor to notify customer within 24 hours of major/significant issues?
Does the contract define major/significant?
|Does the vendor agree to notify UMN within 48 hours of an information security incident or breach that has likely compromised or involves inappropriate access to UMN data?|
Will the vendor agree to return the data at the University's request, and the data will be in a commonly readable program?
Does the vendor allow UMN to review or audit data destruction process real-time as well as afterwards?
Does the vendor acknowledge responsibility to protect UMN data for itself and subcontractors, continuing after termination of the contract?
Questions last reviewed: 11/13/2019
Review by compliance officers and/or University Information Security (UIS)
Additional review by University compliance officers is required for some data classifications or services:
- Arrangements with vendors relating to PHI must be reviewed by the Chief Health Information Compliance Officer ([email protected]).
- Payment cards (e.g., credit or debit cards) must be reviewed by the PCI DSS Compliance Analyst ([email protected]).
- FERPA protected student data must be reviewed by Stacey Tidball ([email protected]).
- If the vendor can access Private data, or a service is mission-critical, the vendor’s data security must be reviewed by University Information Security ([email protected]).
For more information, see the Entering Into Contracts Policy Review by Subject Matter Experts.