If your unit is looking for a vendor service or product that will access, process, or maintain sensitive institutional data, you need to ensure compliance with all relevant IT security and privacy laws, regulations, and U-M policies and procurement processes (Third Party Vendor Security and Compliance (DS-20)).
- Engage Information Assurance to support you during the security-compliance assessment process, or use Procurement and IA will be pulled in automatically.
- Use the U-M Service Provider Security-Compliance Questionnaire (UMSPSCQ) to gather the needed information. The questionnaire is periodically reviewed and updated by Information Assurance and Michigan Medicine Corporate Compliance.
- Additional vendor security risk questionnaires or security assessment tools may be vetted and approved by IA for use in specific situations if needed.
- Your unit's Security Unit Liaison is expected to coordinate (or designate someone to coordinate) the service provider security and compliance review process for unit procurements.
- Software Procurement and Licensing Compliance (SPG 601.03-3) is the authoritative source for information assurance protections related to software purchased from third parties.
- If you need help, contact IA via the ITS Service Center.
Additional U-M units may participate in the process:
- Procurement Services, where appropriate, coordinates the submission of the UMSPSCQ by prospective vendors.
- Information Assurance works closely with Procurement Services to automatically review enterprise, Information and Technology Services (ITS), and Michigan Medicine procurements. In addition, IA will perform service provider security and compliance assessment for any unit upon request.
- U-M Merchant Services participates in third-party vendor assessments if handling of payment card information is involved.
Ask Vendors to Fill Out the Security and Compliance Questionnaire
Prospective vendors are generally required to fill out the U-M Service Provider Security-Compliance Questionnaire (Excel spreadsheet; U-M login required) if their product, service, or application meets either of these criteria:
- Contracts, including research contracts or agreements, that will establish a service on behalf of the university that will create, process, maintain, transmit, or store sensitive institutional data classified as Restricted or High, or any data types regulated by federal or state law or regulations.
- Transfers of any sensitive institutional data from a university-owned system or device to a third-party vendor contracted system or device (including biomedical devices), whether located on or off campus.
When Procurement Services and/or your unit conducts a request for proposals (RFP), include the questionnaire. If your unit procures an open source service or product or procures a service or product without an RFP, ask the vendor/provider to fill out the questionnaire.
Vendor questions about the questionnaire should be directed to Procurement Services.
Review the Vendor's Responses
The Security Unit Liaison or designee and appropriate unit IT staff review the completed questionnaire or other provided documentation about the vendor’s information assurance program and follow up with Procurement Services or the vendor if clarification or additional information is needed.
The review process is qualitative rather than quantitative. When reviewing the questionnaire and/or IT security and compliance documentation, consider the following:
- Does the service provider provide any additional documentation that describes their IT security and compliance program (see below)?
- Does the additional documentation (either publicly available or provided as part of the Procurement process) describe a reasonable information assurance program?
- How many questions are answered "yes" in the questionnaire?
- Does the service provider provide additional details beyond a "yes" or "no" response?
- Do their responses seem plausible?
In addition to reviewing the questionnaire, review other sources of documentation and information that are available publicly or provided by the vendor, such as these:
- Assessments or certifications. Does the company have any? Are they publicly posted and current? Examples include ISO certification, PCI DSS, and FEDRAMP.
- Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR). Is the vendor listed in the registry? Vendors listed there attest to compliance with CSA's Cloud Controls Matrix.
- Previously completed security questionnaires, such as the Cloud Security Alliance Consensus Assessments Initiative questionnaire.
- Publicly available security and compliance documentation, such as the Amazon Web Services (AWS) Security and AWS Compliance websites, or the Salesforce Security, Privacy, and Architecture documentation.
- Securely available security and compliance program documentation or white papers provided under a non-disclosure agreement.
- Other service provider security and compliance documentation, such as specific policies and procedures. These are also often provided under a non-disclosure agreement.
- Company reputation. If you conduct a web search, do they seem to be well-trusted and well-regarded? Has the company had a security incident or data breach in the past?