How-to

Use Information Security Questions for Contract Review

Purpose

The following questions will assist units or individuals to review IT contracts or licenses, so that information security and risks are considered in advance rather than ‘after the fact’ especially for activities involving Private-Highly Restricted or Private-Restricted data.  See the Vendor/Supplier Managment standard in the Information Security Policy.

University Information Security can interpret technical or business process questions, not advise on contractual language. A contractual language review by the Office of General Counsel is covered in the Entering Into Contracts policy.

Review by compliance officers and/or University Information Security (UIS)

Additional review by University compliance officers is required for some data classifications or services:

  • Arrangements with vendors relating to PHI must be reviewed by the Chief Health Information Compliance Officer (privacy@umn.edu).

  • Payment cards (e.g., credit or debit cards) must be reviewed by the PCI DSS Compliance Analyst (pmtcard@umn.edu).

  • FERPA protected student data must be reviewed by Stacey Tidball (tidball@umn.edu).
  • If the vendor can access Private data, or a service is mission-critical,  the vendor’s data security must be reviewed by University Information Security (infosecurity@umn.edu).

For more information, see the Entering Into Contracts Policy Review by Subject Matter Experts.

Questions

The questions are related to information security and are:

  • Based on information security related gaps found during previous contract reviews by University Information Security.  This is not an all inclusive list of information security questions to consider in your contract review.
  • Not intended to be scored. They are factors to consider as part of the decision to select a vendor or adopt a technology solution.

The questions below are organized in a similar way to many information technology contracts. Many are related to off-site or ‘cloud’ services, but may also apply to software running on University owned hardware ('on-premise'). Not all questions apply to all contracts.

TOPIC/CLAUSE QUESTION

CLOUD/  OFF-SITE

Compliance Does the vendor agree to maintain compliance with an industry standard or government regulation (e.g. HIPAA, FERPA, FISMA, PCI DSS)? Yes
Compliance Will the vendor create, receive, maintain, or transmit Protected Health Information (PH)I?  If yes, contact the Chief Health Information Privacy Officer at privacy@umn.edu for assistance. Yes
Compliance

Will the vendor receive, maintain, or transmit credit card and/or debit card information? 

Will the vendor provide services that control or could impact the security of credit card and/or debit card information? If yes, contact the Payment Card Program at pmtcard@umn.edu for assistance.

Yes
Independent Assessment Does the vendor offer to provide a current third-party attestation of information security controls (such as SSAE 18, PCI DSS AOC) for themselves and any sub-contractors on a regular (usually annual) basis? Yes
Termination Does the vendor allow UMN to review or audit data destruction process real-time as well as afterwards? Yes
Right to Assess/Audit Does the vendor agree to respond and cooperate during an information security investigation/assessment, process/record review/audit? Yes
Insurance Will the vendor add the University as an ‘additional insured’ party to the vendor’s insurance to cover potential breach costs? Yes
Service Levels Does the vendor specify Service Levels with Service Level Objectives (e.g. 99.9% up time), and scheduled maintenance cycle? Yes
Intellectual Property Does the contract contain language to protect UMN data or intellectual property to the same level as vendor's own protection? Yes
Information Security Awareness Does the vendor state that they have an established/documented information security awareness program for their employees and contractors? Yes
Non-disclosure Does the vendor bind its employees and contractors to non-disclosure of customer data or intellectual property? Yes
Sub-contractors Does the vendor state that all subcontractors are obligated to comply with the same terms and conditions? This particularly applies to data destruction at termination of contract and notification of information security incidents. Yes
Independent Assessment Does the vendor agree to independent, third party information security assessments on a regular basis?
System Development Does the vendor agree to adhere to security best practices for system development and maintenance?
System Maintenance Does the vendor agree to maintain current software versions and to patch regularly? Yes
System Maintenance Does the vendor agree to fix/patch information security deficiencies or bugs in its or subcontractors' service/software in a timely fashion? Contracts frequently use the term 'commercially reasonable' Yes
Notification/Incident Response Does the contract obligate the vendor to notify customer within 24 hours of major/significant issues? Does the contract define major/significant? Yes
Disaster Recovery Does the vendor state that they have an established/documented Disaster Recovery process to protect UMN data or operations? Yes
Breach Notification Does the vendor agree to notify UMN within 48 hours of an information security incident or breach that has likely compromised or involves inappropriate access to UMN data. Yes
Breach Liability Does the vendor assume liability for costs of investigating, responding/mitigating a information security breach due to failure to conform to the contract's terms. Yes
Indemnification Does the contract obligate the vendor to indemnify UMN and faculty/staff against legal actions/third party claims, including costs and fees? Yes
Termination Does the vendor acknowledge responsibility to protect UMN data for itself and subcontractors, continuing after termination of the contract? Yes
Termination Does the contract state that the termination obligations survive the termination of the agreement? Yes
Termination Does the vendor agree to expedite return of all UMN data or destroy the data, including backup copies, within a specified time period after termination of agreement? It is reasonable to allow an extended period for destruction of backup data.  Will the vendor agree to return the data at the University's request, and the data will be in a commonly readable program? Yes