Third Party Vendor Security & Compliance

If your unit uses a vendor-hosted product or service to store, process, or transmit university data, you must ensure adequate data protection. Whether you conduct a full Request for Proposals (RFP) or plan to use an open source product, you need to understand how potential vendors will protect university data prior to entering into a contractual relationship.

This assessment process is governed by the Third Party Vendor Security and Compliance Standard (DS-20) and is required whenever university data leaves the U-M IT environment. Your unit's Security Unit Liaison coordinates (or designates someone to coordinate) efforts to meet the responsibilities outlined in the DS-20 standard.

If software is installed locally and never stores, transmits, or processes university data outside the U-M IT environment, this process does not apply. Instead, follow the guidance in Information Security Risk Management Standard (DS-13).

Evaluate and Classify the Data

Evaluate the data that will be shared with the vendor and determine its data classification.

  • Consult Examples of Sensitive Data by Classification Level to help you determine the appropriate classification.
  • If your unit cannot determine the data classification, ask for an Information Assurance (IA) determination by filling out the Third Party Vendor Security and Compliance request form.
  • Units should maintain a record of the data classification evaluation (either self assessment or IA's determination). If working with Procurement Services, a copy of the data classification evaluation should be shared with your Procurement agent.

Conduct Security Screening of Vendors

Review sources of security documentation and information that are available publicly or provided by the vendor, such as these:

Engage Procurement Services

The easiest way to ensure a vendor meets U-M security and compliance requirements is to request help from Procurement Services. They can make sure that the appropriate legal documentation and review/assessment processes are completed.

Follow Requirements Based on Data Classification

Different documents and agreements are required based on the classification level of the data the third party service or product will access. These are defined in the Third Party Vendor Security and Compliance Standard (DS-20). See more guidance at IT Security and Privacy in Vendor Contracts.

Perform Ongoing Vendor Assessments

Reassess vendor security and compliance if there are changes of vendor, service, or classification of the data the vendor will be storing or accessing. Refer to your record of the initial data classification evaluation and ensure requirements have been met if you are adding additional sensitive data types.

Procurement Services, ITS Information Assurance, and other university units can help you at every step of the way.

Review Applicable U-M Policies