Sharing University Information with Third Parties
In cases where university information is shared with a third party and IT systems and services are provided by the third party, the University Information Security Office requires the following information to assist with the agreement and next steps.
- A brief paragraph describing the purpose of the agreement with the third party.
- A description of who (IU or the third party) is responsible for what parts of the system or service provided by the third party.
- A description of the types (e.g., what specific data elements, is it data about faculty, staff, and/or students, etc.) and quantity (i.e., number of records) of data involved.
- The third party's responses to the information and IT related security questions in the Office of Procurement Services' RFP template
- Please share it with the University Information Security Office by sending an email to email@example.com; a security engineer will review the information to develop an understanding of the system as well as the vendor's approach to security; the security engineer may ask for additional information or clarification if necessary; the security engineer will review the responses more closely if the Committee of Data Stewards has classified the data involved at the critical level.
- Please share it with the appropriate Data Steward(s) based on the type of data involved so they can provide guidance; the security engineer can help you determine which Data Steward(s) to involve if you would like;
- The security engineer will provide both you and the Data Steward(s) his/her assessment of the third party's information and IT security posture so that an informed decision can be made as to whether the University should enter into an agreement with the third party;
- Armed with all of this information, and if the University decides to enter into an agreement with the third party, IU Procurement Services will include appropriate contract language in the agreement with the third party to cover the types of services being provided by the third party and the types of data being stored, processed, or transmitted by the service(s)
Once you have gathered all of the information requested in numbers 1-4, then:
Specific Areas of Interest
Any system at Indiana University that involves payment cards or payment card data, whether outsourced or hosted internally, must be compliant with the PCI DSS. The PA-DSS is also relevant when considering contracting with a payment application vendor.
While the UISO is involved, this process is coordinated through the IU Office of the Treasurer. Departmental technical staff should be engaged upfront and remain so throughout the entire process.
Leveraged infrastructure or "cloud" services
The University Information Policy Office has drafted a document to assist you in evaluating risks and learning about appropriate use of cloud computing and leveraged infrastructure services. While this document remains high level and less granular, it offers the UIPO/UISO perspective on 3rd party cloud services, giving you some idea about issues to consider and types of questions you may be asked.
Vendor services residing on the IU network
Certain circumstances may call for third party services residing on the IU network. These could include, but are not limited to: vendor services or servers connected to the IU network, software installed on an IU server but maintained by a vendor, or some combination of the two. In these cases, the requirements and roles of each party involved should be clearly and comprehensively outlined.
Protected Health Information (PHI)
Health information pertaining to individuals may be covered by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It isn't just clinicians who work with PHI—researchers might too if their research derives from medical records or if the research provides a healthcare service to the subject. Third parties with whom we share PHI must at a minimum sign a Business Associate Agreement (BAA) and will likely need to undergo a security assessment.