Sharing University Information with Third Parties
When institutional data is shared with a third party (for example, an information technology cloud provider), the university Committee of Data Stewards (CDS) requires the following information to be submitted for review and, in the case of Critical data, assessment by the University Information Security Office (UISO). Please follow the link and be prepared to provide the information requested in the section below.
*(This form should be filled out by your departmental purchasing representative. Representatives will be the primary contact for the review and receive updates as to the status.)
1. Company name and software application being assessed
2. IU department requesting the software
3. Links to company website and software page
4. Email addresses for all vendor contacts relevant to this purchase (limit of 5)
5. Selection of all types of institutional data to be processed or stored by the company and/or application
Third Party Assessments vary based on the product and the type of institutional data to be processed by the application. In general the process is as follows.
1. Departmental Purchasing Representative submits a request in the Third Party Assessment Tool.
b) Authenticate using IU username and passphrase
c) Click the green button in the upper right hand corner “Create Third Party/ Product”
d) Provide the information collected in steps 1-5
e) Click “Submit For Review” at the bottom of the page.
2. The request is automatically sent to the UISO for initial review to determine if a Third Party Assessment is needed. If an assessment is required, the vendor assessment is created and both departmental purchaser and vendor are notified.
3. Each vendor will be required to create a guest account to gain access to the Third Party Assessment Questionnaire. Instructions will be included in an email sent to the vendor’s provided email address. For more information, see “Guest accounts at IU” https://kb.iu.edu/data/alqt.html
4. The vendor completes the questionnaire and submits it for review. UISO staff review the answers and request additional information if needed.
5. UISO provides a comprehensive report based on their findings and recommendations and provides this report to the Committee of Data Stewards.
6. The Committee of Data Stewards analyzes the report and approves or denies the purchase of software.
Specific Areas of Interest
Any system at Indiana University that involves payment cards or payment card data, whether outsourced or hosted internally, must be compliant with the PCI DSS. The PA-DSS is also relevant when considering contracting with a payment application vendor.
While the UISO is involved, this process is coordinated through the IU Office of the Treasurer. Departmental technical staff should be engaged up front and remain so throughout the entire process.
Leveraged infrastructure or cloud services
The University Information Policy Office has drafted a document to assist you in evaluating risks and learning about appropriate use of cloud computing and leveraged infrastructure services. While this document remains high level and less granular, it offers the UIPO/UISO perspective on 3rd party cloud services, giving you some idea about issues to consider and types of questions you may be asked.
Vendor services residing on the IU network
Certain circumstances may call for third party services residing on the IU network. These could include, but are not limited to: vendor services or servers connected to the IU network, software installed on an IU server but maintained by a vendor, or some combination of the two. In these cases, the requirements and roles of each party involved should be clearly and comprehensively outlined.
Protected Health Information (PHI)
Health information pertaining to individuals may be covered by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It isn't just clinicians who work with PHI—researchers might too if their research derives from medical records or if the research provides a healthcare service to the subject. Third parties with whom we share PHI must at a minimum sign a Business Associate Agreement (BAA) and will likely need to undergo a security assessment.