Sharing University Information with Third Parties

In cases where university information is shared with a third party and IT systems and services are provided by the third party, the University Information Security Office requires the following information to assist with the agreement and next steps.

  1. A brief paragraph describing the purpose of the agreement with the third party.
  2. A description of who (IU or the third party) is responsible for what parts of the system or service provided by the third party.
  3. A description of the types (e.g., what specific data elements, is it data about faculty, staff, and/or students, etc.) and quantity (i.e., number of records) of data involved.
  4. The third party's responses to the information and IT related security questions in the Office of Procurement Services' RFP template

    5. Once you have gathered all of the information requested in numbers 1-4, then:

  5. Please share it with the University Information Security Office by sending an email to uiso@iu.edu; a security engineer will review the information to develop an understanding of the system as well as the vendor's approach to security; the security engineer may ask for additional information or clarification if necessary; the security engineer will review the responses more closely if the Committee of Data Stewards has classified the data involved at the critical level.
  6. Please share it with the appropriate Data Steward(s) based on the type of data involved so they can provide guidance; the security engineer can help you determine which Data Steward(s) to involve if you would like;
  7. The security engineer will provide both you and the Data Steward(s) his/her assessment of the third party's information and IT security posture so that an informed decision can be made as to whether the University should enter into an agreement with the third party;
  8. Armed with all of this information, and if the University decides to enter into an agreement with the third party, IU Procurement Services will include appropriate contract language in the agreement with the third party to cover the types of services being provided by the third party and the types of data being stored, processed, or transmitted by the service(s)

Specific Areas of Interest

Payment/credit cards

Any system at Indiana University that involves payment cards or payment card data, whether outsourced or hosted internally, must be compliant with the PCI DSS. The PA-DSS is also relevant when considering contracting with a payment application vendor.

While the UISO is involved, this process is coordinated through the IU Office of the Treasurer. Departmental technical staff should be engaged upfront and remain so throughout the entire process.

Leveraged infrastructure or "cloud" services

The University Information Policy Office has drafted a document to assist you in evaluating risks and learning about appropriate use of cloud computing and leveraged infrastructure services. While this document remains high level and less granular, it offers the UIPO/UISO perspective on 3rd party cloud services, giving you some idea about issues to consider and types of questions you may be asked.

Vendor services residing on the IU network

Certain circumstances may call for third party services residing on the IU network. These could include, but are not limited to: vendor services or servers connected to the IU network, software installed on an IU server but maintained by a vendor, or some combination of the two. In these cases, the requirements and roles of each party involved should be clearly and comprehensively outlined.

Protected Health Information (PHI)

Health information pertaining to individuals may be covered by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It isn't just clinicians who work with PHI—researchers might too if their research derives from medical records or if the research provides a healthcare service to the subject. Third parties with whom we share PHI must at a minimum sign a Business Associate Agreement (BAA) and will likely need to undergo a security assessment.

Security & Policy Blog Posts

  • May 17, 2013 at 12:52 PM

    • Critical Linux Kernel Security Update
    A local, unprivileged user can use a Linux kernel flaw to gain escalated privileges, without authentication, on a system running a Linux kernel. Technical details, as well as exploit code, have been publically released.
  • April 10, 2013 at 4:07 PM

    • S/MIME certificates available
    S/MIME certificates are now available to all IU personnel at no cost.
  • March 13, 2013 at 4:00 PM

    • Policy Draft IT-28 Provisioning of IT Services
    IU VP for IT and Chief Information Officer, Brad Wheeler, spoke at a town hall meeting on March 8th on the subject of, “Mitigating Cyber Risks,” including the current risk environment, and the development of IT-28.
  • March 1, 2013 at 5:06 PM

    • Domain 12: Compliance
    As Jacqueline Simmons explains, IU operates in a complex legal, regulatory, & contractual environment, with responsibilities to comply with applicable legal, regulatory, & contractual requirements regarding safeguards over information and information assets. Doing so protects the university's reputation & minimizes the risk of negative financial consequences associated with noncompliance.

    Recent Security Bulletins

  • February 12, 2013 at 11:03 AM

    • Vulnerabilities in Adobe ColdFusion
    This bulletin details four recently published, critical rated, vulnerabillies in Adobe ColdFusion and ways to mitigate the risk of them being exploited including the hotfix for supported versions.
  • January 22, 2013 at 9:02 AM

    • Java Security Recommendations
    As the use of Java applets on websites continues to diminish and in light of the rash of recent vulnerability exploits, the implications of installing Java for use in web browsers should be considered carefully.