If your unit uses a vendor-hosted product or service to store, process, or transmit university data, you must ensure adequate data protection. Whether you conduct a full Request for Proposals (RFP) or plan to use an open source product, you need to understand how potential vendors will protect university data prior to entering into a contractual relationship.
This assessment process is governed by the Third Party Vendor Security and Compliance Standard (DS-20) and is required whenever university data leaves the U-M IT environment. Your unit's Security Unit Liaison coordinates (or designates someone to coordinate) efforts to meet the responsibilities outlined in the DS-20 standard.
If software is installed locally and never stores, transmits, or processes university data outside the U-M IT environment, this process does not apply. Instead, follow the guidance in Information Security Risk Management Standard (DS-13).
Evaluate and Classify the Data
Evaluate the data that will be shared with the vendor and determine its data classification.
- Consult Examples of Sensitive Data by Classification Level to help you determine the appropriate classification.
- If your unit cannot determine the data classification, ask for an Information Assurance (IA) determination by filling out the Third Party Vendor Security and Compliance request form.
- Units should maintain a record of the data classification evaluation (either self assessment or IA's determination). If working with Procurement Services, a copy of the data classification evaluation should be shared with your Procurement agent.
Conduct Security Screening of Vendors
Review sources of security documentation and information that are available publicly or provided by the vendor, such as these:
- Assessments or certifications. Does the company have any? Are they publicly posted and current? Examples include ISO certification, PCI DSS, and FEDRAMP.
- Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR). Is the vendor listed in the registry? Vendors listed there attest to compliance with CSA's Cloud Controls Matrix.
- Previously completed security questionnaires, such as the Cloud Security Alliance Consensus Assessments Initiative questionnaire.
- Security and compliance documentation provided by the vendor. Publicly available examples include Amazon Web Services (AWS) Security, AWS Compliance, Salesforce Security, Privacy, and Architecture. Other documentation may be provided under a non-disclosure agreement.
- Company reputation. Use web search, benchmarking, industry reports and other methods. Is the vendor well-trusted and well-regarded? Has the company had a security incident or data breach in the past?
Engage Procurement Services
The easiest way to ensure a vendor meets U-M security and compliance requirements is to request help from Procurement Services. They can make sure that the appropriate legal documentation and review/assessment processes are completed.
Follow Requirements Based on Data Classification
Different documents and agreements are required based on the classification level of the data the third party service or product will access. These are defined in the Third Party Vendor Security and Compliance Standard (DS-20). See more guidance at IT Security and Privacy in Vendor Contracts.
Perform Ongoing Vendor Assessments
Reassess vendor security and compliance if there are changes of vendor, service, or classification of the data the vendor will be storing or accessing. Refer to your record of the initial data classification evaluation and ensure requirements have been met if you are adding additional sensitive data types.
Procurement Services, ITS Information Assurance, and other university units can help you at every step of the way.
Review Applicable