Third Party Vendor Security & Compliance

If your unit uses a vendor-hosted product or service to store, process, or transmit university data, you must ensure adequate data protection. Whether you conduct a full Request for Proposals (RFP) or plan to use an open source product, you need to understand how potential vendors will protect university data prior to entering into a contractual relationship. 

This assessment process is governed by the Third Party Vendor Security and Compliance Standard (DS-20) and is required whenever university data leaves the U-M IT environment. Your unit's Security Unit Liaison coordinates (or designates someone to coordinate) efforts to meet the responsibilities outlined in the DS-20 standard.

If software is installed locally and never stores, transmits, or processes university data outside the U-M IT environment, this process does not apply. Instead, follow the guidance in Information Security Risk Management Standard (DS-13).

Evaluate and Classify the Data

Evaluate the data that will be shared with the vendor and determine its data classification.

Conduct Security Screening of Vendors

Review sources of security documentation and information that are available publicly or provided by the vendor, such as these:

Engage Procurement Services

The easiest way to ensure a vendor meets U-M security and compliance requirements is to request help from Procurement Services. They can make sure that the appropriate legal documentation and review/assessment processes are completed.

Follow Requirements Based on Data Classification

Different documents and agreements are required based on the classification level of the data the third party service or product will access. These are defined in the Third Party Vendor Security and Compliance Standard (DS-20). See more guidance at IT Security and Privacy in Vendor Contracts.

Perform Ongoing Vendor Assessments

Reassess vendor security and compliance if there are changes of vendor, service, or classification of the data the vendor will be storing or accessing.

Procurement Services, ITS Information Assurance, and other university units can help you at every step of the way.

Review Applicable U-M Policies