Vendor Security & Compliance Assessment

The university is increasingly looking to external service providers to provide IT and IT-related services. While the use of external service providers allows for cost savings and increased efficiency, it can also create additional risks for the university if the security and compliance policies and procedures of the service providers are not fully understood. To address this risk the university has done the following:

  1. Developed a standard data protection contract addendum that should be attached to all contracts where a service provider accesses, processes, or maintains institutional data. If information protected by HIPAA is involved, a Business Associate Agreement is also required.

  2. Developed the U-M Service Provider Security-Compliance Questionnaire (Excel spreadsheet; U-M login required), which is to be filled out by a service provider if they access, process, or maintain sensitive institutional data.

Procurement Services facilitates the execution of the data protection addendum and the appropriate use of the supplier security and compliance assessment. Information Assurance (IA) works closely with Procurement Services to support the review process for enterprise and ITS procurements.

Expand All Content

More Information

About the Data Protection Addendum

The data protection addendum (DPA) is to be a part of all contracts where a service provider has access to institutional data, regardless of data sensitivity. An example data protection addendum is available to review. Work with Procurement Services to obtain an official version of the DPA as needed.

This addendum is required by Section IX of Procurement General Policies and Procedures (SPG 507.01):

All university acquisitions of information technology or data goods and services are required to have a security addendum as part of their contract; and, where required, undergo a privacy and security assessment to ensure compliance with the university's security program and governmental regulations.

About the Questionnaire

The U-M Service Provider Security-Compliance Questionnaire is adapted from the Cloud Security Alliance Consensus Assessments Initiative questionnaire. It is used to assess the service provider's security and compliance environment. The questionnaire is periodically reviewed and revised by staff from Information Assurance and Michigan Medicine Compliance.

Using the Questionnaire

The questionnaire should be completed and reviewed as part of the procurement process, ideally before the service is procured. If a request for proposals (RFP) is being conducted, include the questionnaire in the process.

  1. Share the Questionnaire
    Procurement Services or unit conducts a request for proposals (RFP) and includes the questionnaire.
  2. Vendor Responds
    Vendor completes the questionnaire or provides alternate documentation that describes their information assurance program. Vendor questions about the questionnaire should be directed to Procurement Services.
  3. Review the Questionnaire  
    The Security Unit Liaison (SUL) or other designee reviews the questionnaire or other provided documentation about the vendor’s information assurance program, and follows up with Procurement or the vendor if clarification or additional information is needed.

Service Provider Review Process

Who Is Responsible

The Security Unit Liaison (SUL) should primarily handle the service provider security and compliance review process. An IT director may also act as reviewer of the information. Additional interested parties or stakeholders should also assist in reviewing to help avoid a single point of failure.

What to Consider When Reviewing

The review process is qualitative rather than quantitative. When reviewing the questionnaire and/or IT security and compliance documentation, consider the following:

  • Does the service provider provide any additional documentation that describes their IT security and compliance program (see below)?
  • Does the additional documentation (either publicly available or provided as part of the Procurement process) describe a reasonable information assurance program?
  • How many questions are answered "yes" in the questionnaire?
  • Does the service provider provide additional details beyond a "yes" or "no" response?
  • Do their responses seem plausible?

Additional Information to Review

In addition to reviewing the questionnaire, review other sources of documentation and information that are availably publicly or provided by the vendor, such as these:

Decision Making

In most cases, the final decision is the unit's and it is their responsibility to decide if the service provider responses and documentation, on the aggregate, are adequate.

Have Questions or Need Assistance?

Please contact Information Assurance by submitting a service request to the ITS Service Center.