Third Party Vendor Security and Compliance

Standard number: DS-20
Date issued: 3/5/18
Date last reviewed: 3/5/18
Version: 1.0
Approval authority: Vice President for Information Technology and CIO
Responsible office: Information Assurance

This Standard supports and supplements the Information Security (SPG 601.27) policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.

  1. Overview

    The use of external service providers can result in cost savings, efficiencies, greater security and compliance, stronger resiliency, and higher quality services. However, outsourcing of IT services also creates risks for the university if the information assurance posture of the service providers is not assessed or understood. In order to ensure that appropriate information assurance considerations are integrated into the procurement process, Procurement General Policies and Practices (SPG 507.01), Section IX, requires all university units engaging in acquisitions of, or contracting, for information technology or data goods and services to

    • Include the U-M data protection (security) addendum as part of the contract;
    • Where mandated, require the prospective vendor to undergo a privacy, security, and compliance assessment;
    • Involve Procurement Services if the transaction includes providing access to sensitive institutional data, including all data types regulated by federal or state law;
    • In addition, involve U-M Merchant Services if the transaction includes payment card information (PCI).

    Federal or state regulations or contractual agreements may require additional actions that exceed those included in this Standard.

  2. Scope

    This standard applies to the entire university, including the Ann Arbor campus, Michigan Medicine, UM-Dearborn, UM-Flint, and all affiliates. The scope also encompasses all units and individual faculty, researchers, staff, and workforce members who enter into contractual relationships on behalf of the university with third party vendors or contractors.

    Specifically, this Standard also applies to:

    • Contracts, including research contracts or agreements, with a third-party vendor that will establish a service on behalf of the university that will create, process, maintain, transmit, or store institutional data, particularly that classified as Restricted, High, or Moderate;
    • Transfers of any sensitive institutional data from a university-owned system or device to a third-party vendor contracted system or device (including biomedical devices), whether located on- or off-campus.
  3. Definitions

    • Data Protection Addendum (DPA) (PDF)
      The U-M data protection addendum broadly defines IT security and compliance service provider roles, responsibilities, and requirements related to the management and disclosure of U-M data.
    • U-M Service Provider Security-Compliance Questionnaire (UMSPSCQ) (Excel spreadsheet; U-M login required)
      The UMSPSCQ is a standard set of questions used to assess a prospective service provider's IT security and compliance posture and its ability to satisfactorily protect institutional data throughout the lifecycle of its product or service. Additional vendor security risk questionnaires or security assessment tools may be used if vetted and approved by IA.
    • Business Associate Agreement (BAA) (PDF)
      The U-M business associate agreement documents assurances from the service provider that it will not use or disclose PHI except as permitted by law; to the extent the service provider maintains PHI in the Designated Record Set as defined by HIPAA, it will cooperate with Michigan Medicine to honor patient rights as mandated by the Privacy Rule.
  4. Roles and Responsibilities

    • Information Assurance (IA)
      • Coordinate periodic review and update of DPA and vendor security and compliance assessment tools;
      • Periodically review assessment process and maintain documentation related to it;
      • Support and consult with units on assessments.
    • U-M Procurement Services
      • Maintain up-to-date versions of DPA, BAA, UMSPSCQ and other equivalent and approved vendor security assessment tools;
      • Incorporate DPA into contracts/agreements;
      • Provide UMSPSCQ or other vendor security assessment tool to vendor as required; serve as interface with vendor during assessment process.
    • U-M Merchant Services
      • Approve all contracts or purchases of credit card transaction services, software and/or equipment;
      • Ensure that third party vendors maintain compliance with the PCI Data Security Standard for the life of the agreement.
    • Office of the General Counsel
      • Periodically participate in review and update of BAA and DPA documents;
      • Review contracts and DPAs on an as-needed basis.
    • University Units (includes schools, colleges, institutes, departments, research centers, research projects, clinical environments)
      • Abide by provisions of this Standard and appropriately monitor third party vendors for compliance with DPA. The Security Unit Liaison (SUL) or an IT manager/director should primarily handle the service provider security and compliance review process.
  5. Standard

    U-M units and all individual faculty, staff, and workforce members must adhere to the Vendor Security and Compliance Assessment process outlined on U-M Safe Computing in all situations where U-M data is to be accessed by, or shared with a third party vendor. Prospective or current vendors are required to submit to the university documentation according to the following table:

    Data Security Document U-M Unit with Primary Responsibility Description of Third Party Vendor Requirement
    Data Protection Addendum Procurement Services Required (or its equivalent) in all contracts where a vendor accesses, processes, or maintains any type of institutional data
    Service Provider Security & Compliance Assessment Questionnaire Procurement Services Required (or its equivalent) to be completed prior to contract award by prospective vendors that will access, process, or maintain Restricted or High data
    Business Associate Agreement Procurement Services and Michigan Medicine Compliance Required for all contracts that involve processing, maintain, or storing Protected Health Information (PHI)
    Payment Card Information Attestation of Compliance Merchant Services Required annually from a Qualified Security Assessor (QSA) (or be listed as a Level 1 provider on VISA website)

    As part of its ongoing due diligence, U-M seeks to have in place risk management processes commensurate with the level of risk and complexity of its third party relationships. Vendors that have access to Restricted or High data or are providing higher-risk services should receive the greatest scrutiny prior to formalizing a contractual relationship. They should be periodically assessed and monitored as part of ongoing third party vendor risk management.

    The following U-M information security Standards have additional third party vendor provisions that are incorporated by reference into this Standard:

    • Data Encryption
    • Disaster Recovery Planning for Information Systems and Services
    • Electronic Data Disposal and Media Sanitization
    • Network Security
    • Secure Coding and Application Security

    Software Procurement and Licensing Compliance (SPG 601.03-3) is the authoritative source for information assurance protections related to software purchased from third parties.

    Incident Reporting
    Third party vendors are required to report suspected security incidents to U-M, as well as meet all incident-related regulatory requirements based on the type of data involved. They must notify the university of a breach that potentially affects U-M data by following the timetable in Information Security Incident Reporting (SPG 601.25).

  6. Violations and Sanctions

    Violations of this Standard may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action. In addition, the connectivity of devices to the U-M network that do not comply with this Standard may be limited or disconnected.

    Discipline (SPG 201.12) provides for staff member disciplinary procedures and sanctions. Violations of this policy by faculty may result in appropriate sanction or disciplinary action consistent with applicable university procedures. If dismissal or demotion of qualified faculty is proposed, the matter will be addressed in accordance with the procedures set forth in Regents Bylaw 5.09. In addition to U-M disciplinary actions, individuals may be personally subject to criminal or civil prosecution and sanctions if they engage in unlawful behavior related to applicable federal and state laws.

    Any U-M department or unit found to have violated this policy may be held accountable for the financial penalties, legal fees, and other remediation costs associated with a resulting information security incident and other regulatory non-compliance.

  7. Implementation

    Information Assurance is responsible for the implementation, maintenance, and interpretation of this Standard.

  8. References

  9. Related NIST Security Controls

    • PS-07 Third Party Personnel Security
    • SA-04 Acquisition Process
    • SA-09 External Information System Services
    • AC-20 Use of External Information Systems
    • IA-08 Identification and Authentication (Non-organizational users)