Sharing University Information with Third Parties
When institutional data is shared with a third party (for example, an information technology cloud provider), the university Committee of Data Stewards (CDS) requires the following information to be submitted for review and, in the case of Critical data, assessment by the University Information Security Office (UISO). Please download the attached workbook and provide it to the vendor to fill out and return. When the vendor has returned the completed workbook, email the workbook to email@example.com. A ticket will be generated and assigned to a member of the UISO staff.
When returning the completed workbook, please include the following information.
1. Company name and software application being assessed
2. IU department requesting the software
3. Links to company website and software page
4. Email addresses for all vendor contacts relevant to this purchase
5. All types of institutional data to be processed or stored by the company and/or application
Third Party Assessments vary based on the product and the type of institutional data to be processed by the application. In general the process is as follows.
1. Departmental representative downloads the workbook and forwards to the vendor for completion.
2. The completed workbook is returned to the departmental representative and then emailed to firstname.lastname@example.org
3. The request is sent to the UISO for initial review to determine if a Third Party Assessment is needed. We’ll let you know if an assessment is required and assign the project to a UISO engineer.
4. UISO provides a comprehensive report based on their findings and recommendations and provides this report to the Committee of Data Stewards.
5. The Committee of Data Stewards analyzes the report and approves or disapproves the purchase of software. Often, the Committee will require certain steps be taken by the vendor or the department to mitigate the more substantial risks.
Specific Areas of Interest
Any system at Indiana University that involves payment cards or payment card data, whether outsourced or hosted internally, must be compliant with the PCI DSS. The PA-DSS is also relevant when considering contracting with a payment application vendor.
While the UISO is involved, this process is coordinated through the IU Office of the Treasurer. Departmental technical staff should be engaged up front and remain so throughout the entire process.
Leveraged infrastructure or cloud services
The University Information Policy Office has drafted a document to assist you in evaluating risks and learning about appropriate use of cloud computing and leveraged infrastructure services. While this document remains high level and less granular, it offers the UIPO/UISO perspective on 3rd party cloud services, giving you some idea about issues to consider and types of questions you may be asked.
Vendor services residing on the IU network
Certain circumstances may call for third party services residing on the IU network. These could include, but are not limited to: vendor services or servers connected to the IU network, software installed on an IU server but maintained by a vendor, or some combination of the two. In these cases, the requirements and roles of each party involved should be clearly and comprehensively outlined.
Protected Health Information (PHI)
Health information pertaining to individuals may be covered by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It isn't just clinicians who work with PHI—researchers might too if their research derives from medical records or if the research provides a healthcare service to the subject. Third parties with whom we share PHI must at a minimum sign a Business Associate Agreement (BAA) and will likely need to undergo a security assessment.