Sharing University Information with Third Parties
When institutional data is shared with a third party (for example, an information technology cloud provider), the university Committee of Data Stewards (CDS) requires the following information to be submitted for review and, in the case of Critical data, assessment by the University Information Security Office (UISO).
University Policy DM-01 “The university also recognizes the need to share institutional information with partners to accomplish its mission and that, when disclosing this information, the university must exercise due care. Furthermore, to ensure compliance with applicable federal and state laws, regulations, and university policies, it is vital to evaluate and approve the ability of third parties to appropriately handle and protect information before information is shared.”
In an effort to streamline the process of the Third Party Assessment and provide a central location for all parties to access documents and provide feedback, the UISO is piloting a new method using Box online document storage to provide this central location.
The Box folder will be shared with the requesting department, the UISO analyst, and the appropriate data steward(s). Vendors will be given access to the security questionnaire for completion and the ability to upload documents to a specified folder. Box can be used to assign tasks and leave comments to help identify where in the review process the assessment stands and what actions need to be taken.
To initiate the review process, the department, the Purchasing Office or the Data Steward may request that a product be reviewed based on the sensitivity of the data to be stored or processed by the application/service. Requests for assessments should be sent to firstname.lastname@example.org. If it is determined that an assessment is required, the UISO will create the Box folder and add all necessary participants.
The requestor should download the Data-Inventory.xlsx file from the bottom of this page, complete the inventory spreadsheet and email it, along with a brief description to email@example.com.
UISO engineers will create the Box folder, add the appropriate university data stewards and departmental contacts and vendors will be granted access to the “IU Third-Party Assessment” folder inside the review’s project folder to complete the Third-Party Safegarud.xlsx and upload product documentation.
Third-party assessments vary based on the product and the type of institutional data to be processed by the application. In general the process is as follows.
(1) Purchasing identifies a Purchase Order for third-party vendor software that may use, manage, or reference IU data classified as critical, or IU is providing data to the vendor in order to run a business function for IU.
Note: There is not currently an effective way for Purchasing to identify requisitions/purchases made using procurement cards, thus purchases of third-party vendors that may use, manage, or reference data classified as critical could be overlooked.
(2) Purchasing contacts the University Information Security Officer for a preliminary evaluation for whether a purchase request necessitates a third-party data security review.
(3) The University Information Security Officer determines if a UISO third-party assessment is merited and assigns the case to a UISO engineer. If a third-party assessment is deemed not necessary, the University Information Security Officer informs Purchasing and the purchasing process continues.
(4) The Data Security Questionnaire is provided to vendor. The Data Security Questionnaire is in the IU Third-Party Assessment folder inside the Box project folder and available for review by the department that originated the PO, The purchasing department, Data Stewards and the UISO.
(5) The UISO engineer reviews the information. If further clarification or additional information regarding the submitted Data Security Questionnaire from either the department and/or the vendor, the UISO engineer follows-up with further questions or requests for substantiating documents.
(6) The aforementioned step (5) continues until the UISO Engineer is able to make an informed recommendation to the appropriate Data Steward.
(7) The UISO engineer provides the appropriate Data Steward a report of the third-party evaluation as well as any providing consultation regarding the results:
+ Overview of Vendor, Product, Purpose of Review, and IU data used
+ Identified risks and recommendations
+ Additional Document: The Completed Data Security Questionnaire
+ Additional Document: Any further addendum's, follow-up questions, and/or applicable communications
(8) Provided the Data Steward does not have any further questions or requirements for the vendor, at which time a final question and answer series may occur, the Data Steward makes the final determination regarding the contract requirements and approves or disapproves the purchase
Specific Areas of Interest
Any system at Indiana University that involves payment cards or payment card data, whether outsourced or hosted internally, must be compliant with the PCI DSS. The PA-DSS is also relevant when considering contracting with a payment application vendor.
While the UISO is involved, this process is coordinated through the IU Office of the Treasurer. Departmental technical staff should be engaged up front and remain so throughout the entire process.
Leveraged infrastructure or cloud services
The University Information Policy Office has drafted a document to assist you in evaluating risks and learning about appropriate use of cloud computing and leveraged infrastructure services. While this document remains high level and less granular, it offers the UIPO/UISO perspective on 3rd party cloud services, giving you some idea about issues to consider and types of questions you may be asked.
Vendor services residing on the IU network
Certain circumstances may call for third party services residing on the IU network. These could include, but are not limited to: vendor services or servers connected to the IU network, software installed on an IU server but maintained by a vendor, or some combination of the two. In these cases, the requirements and roles of each party involved should be clearly and comprehensively outlined.
Protected Health Information (PHI)
Health information pertaining to individuals may be covered by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It isn't just clinicians who work with PHI—researchers might too if their research derives from medical records or if the research provides a healthcare service to the subject. Third parties with whom we share PHI must at a minimum sign a Business Associate Agreement (BAA) and will likely need to undergo a security assessment.