Guidance for the Internal Control Annual Information Assurance Certification Question

For details about the overall process and the annual certification question, see Internal Control Annual Certification Process.

FY24 Question

My unit understands Section VIII.A. (Security and Privacy) of the newly updated Procurement General Policies (SPG 507.01) and has aligned its procurement processes with the requirements in Third Party Vendor Security and Compliance (DS-20).

Responses to the FY24 Question

All units should be able to reply "Yes" or "Partially" to the FY24 question.

• Yes. My unit understands Section VIII.A. (Security and Privacy) of the newly updated Procurement General Policies (SPG 507.01) and has aligned all of its procurement processes with the requirements in Third Party Vendor Security and Compliance (DS-20).
• Partially. My unit understands Section VIII.A. (Security and Privacy) of the newly updated Procurement General Policies (SPG 507.01) and has aligned some of its procurement processes with the requirements in Third Party Vendor Security and Compliance (DS-20).
• No. My unit has reviewed Section VIII.A. (Security and Privacy) of the newly updated Procurement General Policies (SPG 507.01), but has not aligned its procurement process with the requirements in Third Party Vendor Security and Compliance (DS-20).

Guidance for Responding to the Question

Security and privacy of data are important considerations when contracting for third-party services and products. ITS Information Assurance (IA) and Procurement Services, in consultation with the Office of General Counsel and other university partners, collaborate to ensure appropriate IT security and privacy assessments take place, depending on the classification level of the institutional data the service or product will access.

The newly updated Procurement General Policies (SPG 507.01) and the IT Standard on Third Party Vendor Security and Compliance (DS-20) specify the requirements and provide guidance to units for appropriate protection of data shared with third-party vendors.

In preparation for responding to the FY24 IA Internal Control Certification Question, units need to:

• Create broad awareness of the updated Procurement General Policies (SPG 507.01) and the IT Standard on Third Party Vendor Security and Compliance (DS-20) among unit faculty and staff involved in procuring vendor-hosted products and services.
• Review guidance on Third Party Vendor Security & Compliance and ensure unit faculty and staff involved in procuring vendor-hosted products and services have incorporated the guidance in the unit’s procurement processes.

Supporting Materials

• Third Party Vendor Security and Compliance
• Include IT Security and Privacy in Vendor Contracts

Answers to Your Questions

Security Unit Liaisons (SULs) can send questions to [email protected]. Information Assurance will post answers here to any inquiries received about this year's certification question.