References to Third Party Compliance With University Policies, Standards, Guidelines, And Procedures

References to Third Party Compliance With University Policies, Standards, Guidelines, and Procedures

#Why is this Important
#Reference
#Overview
#Criticality
#Sample RFP Language
#Sample Contract Clauses

Why is this Important:
As part of comprehensive data protection, the institution of higher education may want to specify that its contracting third parties will follow institutional policies with respect to use and handling of university data. Failure to follow such policies could constitute a basis upon which to audit contractual performance.

Reference:
Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(a); (r)
Appendix 2 NIST Sp. Pub. 800-53, Rev. 2; Control SA-9 (External Information System Services)

Overview:
Clauses include instructions to the contracting parties about compliance with originating institution policies in order to ensure data handling in conformance with those policies.

Criticality: Category 2 and Category 4.

Sample RFP Language:

  1. If the Proposer were to be selected, would the Proposer agree to comply with Institution [Information Resources Use and Security Policy]? If Proposer objects to complying with Institution policy, Proposer must, as part of its proposal, identify and describe in detail the reasons for Proposer's objection.

#Top

Sample Contract Clauses:

  1. [Vendor] certifies that all systems and networking equipment that support, interact, or store Institution data meet physical, Network and System security requirements as defined by the Institution at (http://) or that conform to the standards identified by the National Institute of Standards of Technology (NIST) at http://checklists.nist.gov/repository/1023.html and http://checklists.nist.gov/repository/10005.htmlwhere the Institution's requirements control in the event of conflict. Significant deviation from these standards must be approved by the Security Office within the Office of the Chief Information Officer. [Vendor] will notify the Institution within one (1) week if its systems and networking equipment do not conform to these requirements.
  2. [Vendor] shall certify applications are fully functional and operate correctly as intended on systems using the Federal Desktop Core Configuration. The standard installation, operation, maintenance, update and/or patching of the software shall not alter the configuration settings, and applications designed for normal end users shall run in the standard user context without elevated system administration privileges.
  3. [Vendor] must comply with federal, state, and local laws concerning data privacy, as well as Institution's data handling guidelines during the handling of Institution data.

#Top

common security items


Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).