If your unit is looking for a vendor service or product that will access, process, or maintain sensitive institutional data, you need to ensure compliance with all relevant IT security and privacy laws, regulations, and U-M policies and procurement processes.
The process for ensuring compliance is governed by Third Party Vendor Security and Compliance (DS-20) and is required whenever university data leaves the U-M IT environment.
If software is installed locally and never stores, transmits, or processes university data outside the UM IT environment, then this process does not apply. Instead you should follow the guidance in Information Security Risk Management Standard (DS-13).
Vendors Fill Out a Questionnaire
Prospective vendors are generally required to fill out the U-M Service Provider Security-Compliance Questionnaire (UMSCSPQ) (Excel spreadsheet; U-M login required) if their product, service, or application includes either of these criteria:
- Contracts, including research contracts or agreements, that will establish a service on behalf of U-M that will create, process, maintain, transmit, or store sensitive institutional data classified as Restricted or High or any data types regulated by federal or state law or regulation.
Transfers of any sensitive institutional data from a university-owned system or device to a third party vendor contracted-for system or device (including biomedical devices), whether located on or off campus.When Procurement Services and/or your unit conducts a request for proposals (RFP), include the questionnaire. If your unit procures an open source service or product or procures a service or product without an RFP, ask the vendor/provider to fill out the questionnaire.
Multiple Units Help with the Process
- Your unit's Security Unit Liaison is expected to coordinate (or designate someone to coordinate) the service provider security and compliance review process for unit procurements.
- Engage ITS Information Assurance (IA) via the ITS Service Center to support you during the security-compliance assessment process, or begin with Procurement Services, and IA will be pulled in automatically.
- A vendor may choose to provide a SOC2, HECVAT, BTAA, or other similar security questionnaire in place of the UMSPSCQ as long as the documentation addresses the same risk factors and compliance requirements as the UMSPSCQ. Additional vendor security risk questionnaires or security assessment tools may be vetted and approved by IA for use in specific situations if needed.
- U-M Merchant Services participates in third-party vendor assessments if handling of payment card information is involved.
Information Assurance works closely with Procurement Services to automatically review enterprise, Information and Technology Services (ITS), and Michigan Medicine procurements. In addition, IA will perform service provider security and compliance assessment for any unit upon request.
Vendor questions about the questionnaire should be directed to Procurement Services.
IA Reviews Vendor's Responses
IA staff review the completed questionnaire or other provided documentation about the vendor’s information assurance program and follow up with Procurement Services or the vendor if clarification or additional information is needed.
The review process is qualitative rather than quantitative. When reviewing the questionnaire and/or IT security and compliance documentation, the following are considered:
- Does the service provider provide any additional documentation that describes their IT security and compliance program (see below)?
- Does the additional documentation (either publicly available or provided as part of the Procurement process) describe a reasonable information assurance program?
- How many questions are answered "yes" in the questionnaire?
- Does the service provider provide additional details beyond a "yes" or "no" response?
- Do their responses seem plausible?
Review Additional Information: Public and Provided by Vendor
In addition to reviewing the questionnaire, review other sources of documentation and information that are available publicly or provided by the vendor, such as these:
- Assessments or certifications. Does the company have any? Are they publicly posted and current? Examples include ISO certification, PCI DSS, and FEDRAMP.
- Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR). Is the vendor listed in the registry? Vendors listed there attest to compliance with CSA's Cloud Controls Matrix.
- Previously completed security questionnaires, such as the Cloud Security Alliance Consensus Assessments Initiative questionnaire.
- Publicly available security and compliance documentation, such as the Amazon Web Services (AWS) Security and AWS Compliance websites, or the Salesforce Security, Privacy, and Architecture documentation.
- Securely available security and compliance program documentation or white papers provided under a non-disclosure agreement.
- Other service provider security and compliance documentation, such as specific policies and procedures. These are also often provided under a non-disclosure agreement.
- Company reputation. If you conduct a web search, do they seem to be well-trusted and well-regarded? Has the company had a security incident or data breach in the past?