Third Party Vendor Security & Compliance

If your unit uses a non-university product or service with university data, you must ensure adequate protection of the data.

  1. Select a vendor that meets compliance requirements. Whether you conduct a full Request for Proposals (RFP) or plan to use an open source product, you need a good understanding of how potential vendors will protect university data before choosing a vendor. A U-M questionnaire is available to help you gather the needed information from prospective vendors.
  2. Include IT security and privacy in your vendor contract. Once you select a vendor, you will need to include the appropriate agreements to protect university data. A data protection addendum is required as part of any contract where a service provider will have access to institutional data. Other agreements may be needed for specific data types.
  3. Manage vendor security compliance. You must monitor and periodically reassess your selected vendor's security compliance as part of your ongoing vendor relationship management.

Your unit's Security Unit Liaison is expected to coordinate (or designate someone to coordinate) efforts to meet the responsibilities outlined in Third Party Vendor Security and Compliance (DS-20). Procurement Services, Information Assurance, and other university units can help you at every step of the way.

Applicable University Policies