Printed on: 10/22/2018. Please go to http://policy.umn.edu for the most current version of the Policy or related document.
Appendix

Vendor/Supplier Management Standard

Appendix to Policy

Objective

To ensure appropriate information security controls in vendor IT services that collect, transmit, process or store University data from the procurement through the termination process.

Security Controls

Procurement Table

The following table defines baseline security controls that an individual or unit need to include in their procurement process.

Control Security Level
ID Description High Medium Low
VSM.A.01 Include the information security RFP questions where applicable to the purchase of a product or service. Required Required Recommended
VSM.A.02 Review that the product/service can be implemented in a manner that conforms with the University Administrative Policy: Information Security and standards. Required Required Required
VSM.A.03 Review the Information Security Questions for Contract Review and include applicable sections in the contract. Required Required Required
VSM.A.04 Obtain from and review the vendor certifications/attestations of compliance to meet legal or contractual obligations (e.g., SSAE18, ISO, or for PCI-DSS: SAQ/ROC). Required Recommended Recommended

Ongoing Table

The following table defines baseline security controls that an individual or unit need to include in their on-going process of managing a vendor contract or purchase agreement. 

Control Security Level
ID Description High Medium Low
VSM.B.01 Monitor vendor product/service to ensure that it continues to conform with Administrative Policy: Information Security and standards. Required Required Required
VSM.B.02 Review periodically the vendor's certifications/ attestations of compliance to meet legal or contractual obligations (e.g., SSAE18, ISO, or for PCI-DSS: SAQ/ROC). Consult the law or contractual obligation for frequency. For others, suggest at contract renewal or maximum of 3 years. Required Recommended Recommended

Termination Table

The following table defines baseline security controls that an individual or unit need to include in their termination of a vendor contract or purchase agreement.

Control Security Level
ID Description High Medium Low
VSM.C.01 Work with the vendor to follow the University data retention procedure. Required Required Required
VSM.C.02 Confirm and document with the vendor the secure disposal of equipment/media and University data (see Media Sanitization standard) Required Required Required

Resources Covered

This standard applies to IT resources owned or contracted by the University.

Individuals Covered

This standard applies to University community members who purchase or manage contracts for University IT resources.

Related Information

More information on Vendor/Supplier Management.

How to use the information security standards

Published Date

  • March 2016

Document Feedback