When institutional data is to be shared with a third party (for example, an information technology cloud provider), Policy DM-02 on Disclosing Institutional Information to Third Parties requires the department involved to take proactive steps to be aware of and reduce the risks associated with sharing the information.
While the university recognizes the need to share institutional information with partners to accomplish its mission, departments must exercise due care to ensure compliance with applicable laws, regulations, and university policies. It is also vital to assess and approve the ability of third parties to appropriately handle and protect information before information is shared. The University Information Security Office (UISO) manages this responsibility through a process known as a Third Party Security Assessment (3PA).
To initiate a 3PA, the Requester (from the department engaging with the third party), Purchasing, or a data steward may request a product be reviewed based on the sensitivity of the data to be stored or processed by the application/service. The Requester has two primary responsibilities to initiate a 3PA:
- Download the Data Handling Matrix (DHM) with its associated instructions, complete it, and email it, along with a brief description to email@example.com
- Download the Data Security Safeguards Matrix (DSSM) with its associated instructions and provide it to the vendor. Involving the vendor early reduces delays later in the 3PA process.