Appendix
Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
Objective
To ensure appropriate information security controls in vendor IT services or products that collect, transmit, process, or store University data from the procurement through the termination process and to ensure appropriate stewardship of University assets and integrity when acquiring goods and services.
Security Controls
Procurement Table
The following table defines baseline security controls that an individual or unit need to include in their procurement process.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| VSM.A.01 | Include the Information Security Software/Hardware or Professional Services questions where applicable to the purchase of a product or service. | Required | Required | Recommended |
| VSM.A.02 | Review that the product/service can be implemented in a manner that conforms to the University Administrative Policy: Information Security and standards. | Required | Required | Required |
| VSM.A.03 | Review the Information Security Questions for Contract Review and include applicable sections in the contract. | Required | Required | Required |
| VSM.A.04 | Obtain and review the vendor certifications/attestations of compliance to meet legal or contractual obligations and to ensure expected security controls are in place (e.g., SSAE18, ISO 27001, or for PCI DSS: SAQ/ROC, Cloud Security Alliance). | Required | Recommended | Recommended |
Ongoing Table
The following table defines baseline security controls that an individual or unit need to include in their on-going process of managing a vendor contract or purchase agreement.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| VSM.B.01 | Monitor vendor product/service to ensure that it continues to conform to Administrative Policy: Information Security and standards. Consult the legal, regulatory, or contractual obligation for frequency. For others suggest at contract renewal or maximum of 3 years. | Required | Required | Required |
| VSM.B.02 | Document the periodic review of the vendor's certifications/ attestations of compliance to meet legal or contractual obligations and to ensure expected security controls are in place (e.g., SSAE18, ISO 27001, or for PCI DSS: SAQ/ROC, Cloud Security Alliance). Consult the legal, regulatory, or contractual obligation for frequency. For others, suggest at contract renewal or maximum of 3 years. | Required | Recommended | Recommended |
Termination Table
The following table defines baseline security controls that an individual or unit need to include in their termination of a vendor contract or purchase agreement.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| VSM.C.01 | Work with the vendor to follow the University data retention procedure. | Required | Required | Required |
| VSM.C.02 | Confirm and document with the vendor the secure disposal of equipment/media and University data (see Media Sanitization standard) | Required | Required | Required |
Resources Covered
This standard applies to IT resources owned or contracted by the University.
Individuals Covered
This standard applies to University community members who purchase or manage contracts for University IT resources.
Related Information
- More information on Vendor/Supplier Management.
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to vendor/supplier management.
Published Date
March 2016
Last Reviewed
April 2019