Sharing University Information with Third Parties
When institutional data is shared with a third party (for example, an information technology cloud provider), the university Committee of Data Stewards (CDS) requires the following information to be submitted for review and, in the case of Critical data, assessment by the University Information Security Office (UISO).
Per University Policy DM-01, “the university also recognizes the need to share institutional information with partners to accomplish its mission and that, when disclosing this information, the university must exercise due care. Furthermore, to ensure compliance with applicable federal and state laws, regulations, and university policies, it is vital to evaluate and approve the ability of third parties to appropriately handle and protect information before information is shared.”
In an effort to streamline the process of the Third Party Assessment and provide a central location for all parties to access documents and provide feedback, the UISO is piloting a new method using Box online document storage to provide this central location.
A Box folder is shared with the requesting department, the UISO analyst, and the appropriate data steward(s). Vendors are given access to a security questionnaire for completion and the ability to upload it and other documents to a specified folder. Box is used to assign tasks and leave comments to help identify where in the review process the assessment stands and what actions need to be taken.
To initiate the review process, the department, the Purchasing Office, or the data steward may request that a product be reviewed based on the sensitivity of the data to be stored or processed by the application/service. Requests for assessments should be sent to firstname.lastname@example.org. If it is determined that an assessment is required, the UISO will create the Box folder and add all necessary participants.
The requestor should download the Data-Inventory.xlsx file from the bottom of this page, complete the inventory spreadsheet and email it, along with a brief description to email@example.com.
The UISO will create the Box folder and add the appropriate university data stewards and departmental contacts. The department can then grant the vendor access to the “IU Third-Party Assessment” subfolder, which contains the Third-Party Safegarud.xlsx file. The vendor complets and re-uploads this file and any other product documentation.
Third-party assessments vary based on the product and the type of institutional data to be processed by the application. In general the process is as follows.
- The requesting department completes the Data-Inventory.xlsx file from the bottom of this page and sends the completed file to firstname.lastname@example.org.
- The University Information Security Office stores the Data-Inventory.xlsx file in a newly created Box project folder for the assessment and invites the requesting department contact and the appropriate data stewards to access that folder.
- If Critical data is involved, the University Information Security Officer assigns a UISO engineer or analyst to perform an assessment. If a third-party assessment is deemed unnecessary and the data stewards have no further comments or stipulations the purchasing process continues.
- The requesting department shares the "IU Third-Party Assessment" subfolder with a vendor contact. This subfolder contains the Third-Party Safeguards questionnaire, which the vendor should complete and re-upload to the same folder.
- The UISO engineer or analyst assesses the questionnaire. If the UISO needs further clarification or additional information from either the department and/or the vendor, the UISO engineer follows-up with further questions or requests for substantiating documents using Box's comment feature.
- The aforementioned step repeats until the UISO is able to make informed recommendations to the appropriate data steward(s).
- The UISO engineer provides the appropriate Data Steward a report of the third-party assessment as well as any provided consultation regarding the results:
- Overview of Vendor, Product, Purpose of Review, and IU data used
- Identified risks and recommendations
- Additional Document: The Completed Data Security Questionnaire
- Additional Document: Any further addendum's, follow-up questions, and/or applicable communications
Specific Areas of Interest
Any system at Indiana University that involves payment cards or payment card data, whether outsourced or hosted internally, must be compliant with the PCI DSS. The PA-DSS is also relevant when considering contracting with a payment application vendor. While the UISO is involved, this process is coordinated through the IU Office of the Treasurer. Departmental technical staff should be engaged up front and remain so throughout the entire process.
Leveraged infrastructure or cloud services
The University Information Policy Office has drafted a document to assist you in evaluating risks and learning about appropriate use of cloud computing and leveraged infrastructure services. While this document remains high level and less granular, it offers the UIPO/UISO perspective on 3rd party cloud services, giving you some idea about issues to consider and types of questions you may be asked.
Vendor services residing on the IU network
Certain circumstances may call for third party services residing on the IU network. These could include, but are not limited to: vendor services or servers connected to the IU network, software installed on an IU server but maintained by a vendor, or some combination of the two. In these cases, the requirements and roles of each party involved should be clearly and comprehensively outlined.
Protected Health Information (PHI)
Health information pertaining to individuals may be covered by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It isn't just clinicians who work with PHI—researchers might too if their research derives from medical records or if the research provides a healthcare service to the subject. Third parties with whom we share PHI must at a minimum sign a Business Associate Agreement (BAA) and will likely need to undergo a security assessment.
When exchanging confidential information with an external entity, it is often useful and necessary to agree to non-disclosure of that information. The attached Non-Disclosure Agreement (NDA) is the standard agreement acceptable for this purpose. You may use this agreement as a starting point to finalizing an acceptable NDA with the external entity.