Third Party Vendor Security & Compliance

Whether you conduct a full Request for Proposals (RFP) or plan to use an open source product, you need a good understanding of how potential vendors will protect university data before selecting a vendor. If your unit uses a non-university product or service to store, process, or transmit university data, you must ensure adequate data protection.

Evaluate the Data

When planning to establish a relationship with a third party vendor, a unit should begin by evaluating the data that will be shared with the vendor and determining its data classification.

This evaluation process is governed by the Third Party Vendor Security and Compliance Standard (DS-20) and is required whenever university data leaves the U-M IT environment.

If software is installed locally and never stores, transmits, or processes university data outside the U-M IT environment, this process does not apply. Instead, follow the guidance in Information Security Risk Management Standard (DS-13).

Follow Vendor Selection Process

Once the data classification is determined, follow this process:

  1. Engage Procurement Services. The easiest way to ensure a vendor meets U-M security and compliance requirements is to involve Procurement Services. They can help make sure that the appropriate legal documentation and review/assessment processes are completed.
  2. Include IT security and privacy in your vendor contract. Include the appropriate agreements to protect university data, usually starting with the U-M Data Protection Addendum (DPA). The DPA is required if a service provider will create, process, maintain, transmit, or store sensitive institutional data classified as Restricted, High, or Moderate. Specified alternatives to the DPA may be an option for data classified as Moderate. Additional agreements may be needed for specific data types.
  3. Use the UMSPSCQ to ensure vendors meet compliance requirements. The U-M Service Provider Security-Compliance Questionnaire (UMSPSCQ) is required whenever a service provider will create, process, maintain, transmit, or store sensitive institutional data classified as Restricted or High.

Ongoing Compliance

Your unit's Security Unit Liaison is expected to coordinate (or designate someone to coordinate) efforts to meet the responsibilities outlined in Third Party Vendor Security and Compliance (DS-20). Vendor security and compliance should be reassessed if there are changes of vendor, service, or classification of the data the vendor will be storing or accessing. Procurement Services, ITS Information Assurance, and other university units can help you at every step of the way.


Applicable University Policies