When institutional data is to be shared with a third party (for example, an information technology cloud provider), Policy DM-02 on Disclosing Institutional Information to Third Parties requires the department involved to take proactive steps to be aware of and reduce the risks associated with sharing the information.
While the university recognizes the need to share institutional information with partners to accomplish its mission, departments must exercise due care to ensure compliance with applicable laws, regulations, and university policies. It is also vital to assess and approve the ability of third parties to appropriately handle and protect information before information is shared. The University Information Security Office (UISO) manages this responsibility through a process known as a Third-Party Security Assessment (3PA).
To initiate a 3PA, the Requester (from the department engaging with the third party), Purchasing, or a data steward may request a product be reviewed based on the sensitivity of the data to be stored or processed by the application/service.
The Requester has three primary responsibilities to initiate a 3PA:
- Complete the Software and Services Selection Process (SSSP) Form and if the SSSP determines a Third-Party Assessment is necessary, continue to step 2.
- Download the Data Handling Matrix (DHM) with its associated instructions, complete it, and forward the SSSP approval email with a brief description and with the DHM attached, to email@example.com.
- If your Data Handling Matrix identified Critical Data, download the Higher Education Cloud Vendor Assessment Tool (HECVAT) or if your Data Handling Matrix identified Restricted Data, download the Higher Education Cloud Vendor Assessment Tool Lite (HECVAT-Lite) and provide it to the vendor. Alternatively, you can provide the vendor with the URL http://www.educause.edu/hecvat and instruct them which HECVAT to complete. Involving the vendor early may reduce delays later in the 3PA process.