Third Party Vendor Security & Compliance

If your unit uses a non-university product or service with university data, you must ensure adequate protection of the data.

  1. Engage Procurement Services. The easiest way to ensure a vendor meets U-M security and compliance requirements is to involve Procurement Services. They can help make sure that the appropriate legal documentation and review/assessment processes are completed.
  2. Sensitive Data—use the UMSPSCQ to select a vendor that meets compliance requirements. Whether you conduct a full Request for Proposals (RFP) or plan to use an open source product, you need a good understanding of how potential vendors will protect university data before selecting a vendor. The U-M Service Provider Security-Compliance Questionnaire (UMSPSCQ) will help guide your information gathering during this process.
  3. Include IT security and privacy in your vendor contract. Once you select a vendor, you will need to include the appropriate agreements to protect university data, including the U-M Data Protection Addendum (DPA). The DPA is required whenever a service provider will collect, process or maintain institutional data. Other types of agreements may be needed for specific data types. 

Your unit's Security Unit Liaison is expected to coordinate (or designate someone to coordinate) efforts to meet the responsibilities outlined in Third Party Vendor Security and Compliance (DS-20). Vendor security and compliance should be reassessed if there are changes of vendor, service, or classification of data the vendor will be storing or accessing. Procurement Services, Information Assurance, and other university units can help you at every step of the way.

Applicable University Policies