Vendor/Supplier Management Standard

Objective

To ensure appropriate information security controls in vendor IT services or products that collect, transmit, process, or store University data from the procurement through the termination process and to ensure appropriate stewardship of University assets and integrity when acquiring goods and services.

Security Controls

Procurement Table

The following table defines baseline security controls that an individual or unit need to include in their procurement process.

Control Security Level
ID Description High Medium Low
VSM.A.01 Include the Information Security Software/Hardware or Professional Services questions where applicable to the purchase of a product or service. Required Required Recommended
VSM.A.02 Review that the product/service can be implemented in a manner that conforms to the University Administrative Policy: Information Security and standards. Required Required Required
VSM.A.03 Review the Information Security Questions for Contract Review and include applicable sections in the contract. Required Required Required
VSM.A.04 Obtain and review the vendor certifications/attestations of compliance to meet legal or contractual obligations and to ensure expected security controls are in place (e.g., SSAE18, ISO 27001, or for PCI DSS: SAQ/ROC, Cloud Security Alliance). Required Recommended Recommended

Ongoing Table

The following table defines baseline security controls that an individual or unit need to include in their on-going process of managing a vendor contract or purchase agreement.

Control Security Level
ID Description High Medium Low
VSM.B.01 Monitor vendor product/service to ensure that it continues to conform to Administrative Policy: Information Security and standards. Consult the legal, regulatory, or contractual obligation for frequency. For others suggest at contract renewal or maximum of 3 years. Required Required Required
VSM.B.02 Document the periodic review of the vendor's certifications/ attestations of compliance to meet legal or contractual obligations and to ensure expected security controls are in place (e.g., SSAE18, ISO 27001, or for PCI DSS: SAQ/ROC, Cloud Security Alliance). Consult the legal, regulatory, or contractual obligation for frequency. For others, suggest at contract renewal or maximum of 3 years. Required Recommended Recommended

Termination Table

The following table defines baseline security controls that an individual or unit need to include in their termination of a vendor contract or purchase agreement.

Control Security Level
ID Description High Medium Low
VSM.C.01 Work with the vendor to follow the University data retention procedure. Required Required Required
VSM.C.02 Confirm and document with the vendor the secure disposal of equipment/media and University data (see Media Sanitization standard) Required Required Required

Resources Covered

This standard applies to IT resources owned or contracted by the University.

Individuals Covered

This standard applies to University community members who purchase or manage contracts for University IT resources.

Related Information

Published Date

March 2016 

Last Reviewed

April 2019

Document Feedback

Notification: Please be aware that while we rarely receive these data requests, any information submitted through this comment form is public, including your name, email address and comment/question, unless you are a student.