The university is increasingly looking to external service providers to provide IT and IT-related services. While the use of external service providers allows for cost savings and increased efficiency, it can also create additional risks for the university if the security and compliance policies and procedures of the service providers are not fully understood. To address this risk the university has done the following:
Developed a standard data protection contract addendum that should be attached to all contracts where a service provider accesses, processes, or maintains institutional data. If information protected by HIPAA is involved, a Business Associate Agreement is also required.
Developed the U-M Service Provider Security-Compliance Questionnaire (Excel spreadsheet; U-M login required), which is to be filled out by a service provider if they access, process, or maintain sensitive institutional data.
Procurement Services facilitates the execution of the data protection addendum and the appropriate use of the supplier security and compliance assessment. Information Assurance (IA) works closely with Procurement Services to support the review process for enterprise and ITS procurements.
Expand All Content
About the Data Protection Addendum
The data protection addendum (DPA) is to be a part of all contracts where a service provider has access to institutional data, regardless of data sensitivity. An example data protection addendum is available to review. Work with Procurement Services to obtain an official version of the DPA as needed.
This addendum is required by Section IX of Procurement General Policies and Procedures (SPG 507.01):
All university acquisitions of information technology or data goods and services are required to have a security addendum as part of their contract; and, where required, undergo a privacy and security assessment to ensure compliance with the university's security program and governmental regulations.
About the Questionnaire
The U-M Service Provider Security-Compliance Questionnaire is adapted from the Cloud Security Alliance Consensus Assessments Initiative questionnaire. It is used to assess the service provider's security and compliance environment. The questionnaire is periodically reviewed and revised by staff from Information Assurance and Michigan Medicine Compliance.
Using the Questionnaire
The questionnaire should be completed and reviewed as part of the procurement process, ideally before the service is procured. If a request for proposals (RFP) is being conducted, include the questionnaire in the process.
- Share the Questionnaire
Procurement Services or unit conducts a request for proposals (RFP) and includes the questionnaire.
- Vendor Responds
Vendor completes the questionnaire or provides alternate documentation that describes their information assurance program. Vendor questions about the questionnaire should be directed to Procurement Services.
- Review the Questionnaire
The Security Unit Liaison (SUL) or other designee reviews the questionnaire or other provided documentation about the vendor’s information assurance program, and follows up with Procurement or the vendor if clarification or additional information is needed.
Service Provider Review Process
Who Is Responsible
The Security Unit Liaison (SUL) should primarily handle the service provider security and compliance review process. An IT director may also act as reviewer of the information. Additional interested parties or stakeholders should also assist in reviewing to help avoid a single point of failure.
What to Consider When Reviewing
The review process is qualitative rather than quantitative. When reviewing the questionnaire and/or IT security and compliance documentation, consider the following:
- Does the service provider provide any additional documentation that describes their IT security and compliance program (see below)?
- Does the additional documentation (either publicly available or provided as part of the Procurement process) describe a reasonable information assurance program?
- How many questions are answered "yes" in the questionnaire?
- Does the service provider provide additional details beyond a "yes" or "no" response?
- Do their responses seem plausible?
Additional Information to Review
In addition to reviewing the questionnaire, review other sources of documentation and information that are availably publicly or provided by the vendor, such as these:
- Assessments or certifications. Does the company have any? Are they publicly posted and current? Examples include ISO certification, PCI DSS, and FEDRAMP.
- Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR). Is the vendor listed in the registry? Vendors listed there attest to compliance with CSA's Cloud Controls Matrix.
- Previously completed security questionnaires, such as the Cloud Security Alliance Consensus Assessments Initiative questionnaire.
- Publicly available security and compliance documentation, such as the Amazon Web Services (AWS) Security and AWS Compliance websites, or the Salesforce Security, Privacy, and Architecture documentation.
- Securely available security and compliance program documentation or whitepapers provided under a non-disclosure agreement (NDA).
- Other service provider security and compliance documentation, such as specific policies and procedures. These are also often provided under an NDA.
- Company reputation. If you conduct a web search, do they seem to be well-trusted and well-regarded? Has the company had a security incident or data breach in the past?
In most cases, the final decision is the unit's and it is their responsibility to decide if the service provider responses and documentation, on the aggregate, are adequate.