When institutional data is to be shared with a third party (for example, an information technology cloud provider), Policy DM-02 on Disclosing Institutional Information to Third Parties requires that proactive steps be taken to be aware of and reduce the risks associated with sharing the information.
While the university recognizes the need to share institutional information with partners to accomplish its mission, due care must be exercised to ensure compliance with applicable laws, regulations, and university policies. It is also vital to assess and approve the ability of third parties to appropriately handle and protect information before information is shared.
In an effort to streamline the process of third party assessments and provide a central location for all parties to access documents and provide feedback, the UISO is piloting a new method using Box online document storage to provide this central location.
A Box folder is shared with the requesting department, the UISO analyst, and the appropriate data steward(s). Vendors are given access to a security questionnaire for completion and the ability to upload it and other documents to a specified folder. Box is used to assign tasks and leave comments to help identify where in the review process the assessment stands and what actions need to be taken.
To initiate the review process, the department, the Purchasing Office, or the data steward may request that a product be reviewed based on the sensitivity of the data to be stored or processed by the application/service. Requests for assessments should be sent to firstname.lastname@example.org. If it is determined that an assessment is required, the UISO will create the Box folder and add all necessary participants.
The requestor should download the Data-Inventory.xlsx spreadsheet, complete it, and email it, along with a brief description to email@example.com.
The UISO will create the Box folder and add the appropriate university data stewards and departmental contacts. The department can then grant the vendor access to the “IU Third-Party Assessment” subfolder, which contains the Third-Party Safegaurd.xlsx file. The vendor then completes and re-uploads this file and any other product documentation.
Third-party assessments vary based on the product and the type of institutional data to be processed by the application. In general the process is as follows.
- The requesting department completes the Data-Inventory.xlsx spreadsheet and sends the completed file to firstname.lastname@example.org.
- The University Information Security Office stores the Data-Inventory.xlsx spreadsheet in a newly created Box project folder for the assessment and invites the requesting department contact and the appropriate data stewards to access that folder.
- If Critical data is involved, the University Information Security Officer assigns a UISO engineer or analyst to perform an assessment. If a third-party assessment is deemed unnecessary and the data stewards have no further comments or stipulations the purchasing process continues.
- The requesting department shares the "IU Third-Party Assessment" subfolder with a vendor contact. This subfolder contains the Third-Party Safeguards questionnaire, which the vendor should complete and re-upload to the same folder.
- The UISO engineer or analyst assesses the questionnaire. If the UISO needs further clarification or additional information from either the department and/or the vendor, the UISO engineer follows-up with further questions or requests for substantiating documents using Box's comment feature.
- The preceding step repeats until the UISO is able to make informed recommendations to the appropriate data steward(s).
- The UISO engineer provides the appropriate Data Steward a report of the third-party assessment as well as any provided consultation regarding the results:
- Overview of Vendor, Product, Purpose of Review, and IU data used
- Identified risks and recommendations
- additional document: The Completed Data Security Questionnaire
- additional document: Any further addendum's, follow-up questions, and/or applicable communications
Provided the Data Steward has no further questions or requirements for the vendor, the Data Steward makes the final determination regarding the contract requirements and approves or disapproves the purchase.