Ensure security requirements are met when third-parties need to access university data.
Overview
In some cases, a third party, such as a supplier, may need to access sensitive data (P3-P4) to fulfill their role for the university. It is important for Unit Heads and Unit Information Security Leads (login required) to select a supplier who can meet UC Santa Cruz’s security requirements, include appropriate provisions in the supplier contract, and ensure completion of all necessary documents.
Procedures
1. Ensure the supplier meets UCSC requirements
Before selecting a supplier, understand how potential suppliers will meet compliance requirements:
- Consult with ITS to clarify security requirements.
- Engage Procurement Services to identify the appropriate purchasing processes.
- Contact Privacy & Information Practices for privacy requirements.
- Contact Risk Services to understand cybersecurity insurance requirements.
- Contact the Digital Accessibility and Equity Lead.
2. Include the appropriate contract language
Appendix Data Security (DS) must be included as part of the contractual terms and conditions when a non-UCSC party will access, collect, process or maintain UCSC institutional information and/or access IT resources. It is important that the supplier understands Appendix DS security requirements and their obligations under it.
Appendix DS aligns with the UC IS-3 Electronic Information Security Policy and requires the supplier to comply with all regulatory requirements that apply to the Institutional Information or IT resources the supplier will access.
In most cases, the supplier should also read Acceptable Use of UCSC Electronic Information Resources Policy and read and sign the Access to Information Statement prior to being granted access to UCSC information, systems, or applications.
Supplier security and compliance should be reassessed when:
- There are major changes at the supplier
- Classification of institutional information or IT resources change
Specific contract language guidance
Follow guidance when a contract involves the following situations:
European Economic Area (EEA) General Data Protection Regulation (GDPR)
If a supplier contract is subject to the European Economic Area (EEA) General Data Protection Regulation (GDPR), the contract must include a GDPR Appendix. Contact UCSC Real Estate & Contract Services to ensure that the contract includes this attachment.
Protected health information
If a supplier contract will provide a non-UCSC party with access to electronic protected health information (ePHI) protected by federal Health Insurance Portability and Accountability Act (HIPAA) legislation, or access to UCSC systems or applications that contain this information, the contract must include a HIPAA Business Associate Agreement (BAA). Contact UCSC Real Estate & Contract Services to ensure that the contract includes this attachment.
Credit card data
If you are planning a contract that will provide a non-UCSC party with access to credit card data, or access to UCSC systems or applications that store, process, or transmit this information, the contract must include special PCI terms and conditions. Contact UCSC Real Estate & Contract Services to ensure that the contract includes this attachment.
Staff-like roles for third-parties
ITS Staff: See KB0018044 (login required) for additional requirements for third parties (contractors, consultants, etc.) in staff-like roles.
Responsibilities
Units, Unit Heads and Unit Information Security Leads (UISL) have important and distinct responsibilities to ensure that supplier contracts meet UCSC requirements.
Units
- Complete a vendor risk assessment for suppliers accessing, processing, or storing P3-P4 data.
- Comply with the applicable UC Minimum Security Standard.
- Report any observed supplier security lapses to ITS and ensure that suppliers promptly report any breaches or information security incidents to ITS.
- Follow UC records retention requirements contained in UC’s Records Management Polices (RMP).
Unit heads
- Identify and inventory institutional information and IT resources managed by the unit.
- Ensure that supplier agreements incorporate Appendix DS and other relevant contract documents to protect UC data and resources.
- Manage supplier contracts to confirm security requirements are met and review/update agreements based on changes in services or data/resource classification.
Unit Information Security Leads
- Engage with the supplier in advance of the contract process to fully understand the goods/services to be provided.
- Facilitate completion of required materials (such as Appendix DS), coordination with Campus Subject Matter Experts, and the supplier agreement.
- Coordinate efforts to ensure the supplier is secure and compliant.