Guidance for the Internal Control Annual Information Assurance Certification Question

For details about the overall process and the annual certification question, see Internal Control Annual Certification Process.

FY24 Question

My unit understands Section VIII.A. (Security and Privacy) of the newly updated Procurement General Policies (SPG 507.01) and has aligned its procurement processes with the requirements in Third Party Vendor Security and Compliance (DS-20).

Responses to the FY24 Question

All units should be able to reply "Yes" or "Partially" to the FY24 question.

Guidance for Responding to the Question

Security and privacy of data are important considerations when contracting for third-party services and products. ITS Information Assurance (IA) and Procurement Services, in consultation with the Office of General Counsel and other university partners, collaborate to ensure appropriate IT security and privacy assessments take place, depending on the classification level of the institutional data the service or product will access.

The newly updated Procurement General Policies (SPG 507.01) and the IT Standard on Third Party Vendor Security and Compliance (DS-20) specify the requirements and provide guidance to units for appropriate protection of data shared with third-party vendors.

In preparation for responding to the FY24 IA Internal Control Certification Question, units need to:

Supporting Materials

Answers to Your Questions

Security Unit Liaisons (SULs) can send questions to [email protected]. Information Assurance will post answers here to any inquiries received about this year's certification question.