Third Party Vendor Security & Compliance

If your unit uses a non-university product or service with university data, you must ensure adequate protection of the data.

  1. Engage Procurement. The easiest way to ensure a vendor meets U-M security and compliance requirements is to involve procurement. They can help make sure that the appropriate legal documentation and review/assessment processes are completed.
  2. Sensitive Data—use the UMSPSCQ to select a vendor that meets compliance requirements. Whether you conduct a full Request for Proposals (RFP) or plan to use an open source product, you need a good understanding of how potential vendors will protect university data before selecting a vendor. The U-M Service Provider Security-Compliance Questionnaire (UMSPSCQ) will help guide your information gathering during this process.
  3. Include IT security and privacy in your vendor contract. Once you select a vendor, you will need to include the appropriate agreements to protect university data, including the U-M Data Protection Addendum (DPA). The DPA is required whenever a service provider will collect, process or maintain institutional data. Other types of agreements may be needed for specific data types.
  4. Manage vendor security compliance. You must monitor and periodically reassess your selected vendor's security compliance as part of your ongoing vendor relationship management.

Your unit's Security Unit Liaison is expected to coordinate (or designate someone to coordinate) efforts to meet the responsibilities outlined in Third Party Vendor Security and Compliance (DS-20). Procurement Services, Information Assurance, and other university units can help you at every step of the way.

Applicable University Policies