When institutional data is to be shared with a third party (e.g., an information technology cloud provider), Policy DM-02 “Disclosing Institutional Information to Third Parties” requires the department involved to take proactive steps to be aware of and reduce the risks associated with sharing the information.
Protect data shared with cloud services and other third parties.
Responsibility: The Requester is responsible for marshalling the 3PA process.
- Submit a Software & Services Selection Process (SSSP) form; then, if directed by the SSSP . . .
- Seek Data Steward approval by submitting a Data Handling Request (DHR) to begin a Third-Party Assessment (3PA).
- If the Data Stewards require a UISO targeted risk assessment, obtain the appropriate Higher Education Cloud Vendor Assessment Tool (HECVAT) from the 3rd party.