Vendor Contract Language Review

Summary

Vendor contract language is reviewed in this article. 

 

Content

 

Making sure a Vendor meets USNH requirements

Whenever a business unit at USNH or one of its component institutions plans to engage with a Vendor who will have access to Sensitive, Protected, or Restricted Information, USNH Enterprise Cybersecurity Services requests the business unit performs the following steps up front, prior to making a selection:

  • Engage Procurement Services:
    • Procurement can assist with identifying the appropriate purchasing processes
  • Engage ET&S:
    • Meet with services group(s) who will support the Vendor solution
    • Meet with USNH Enterprise Cybersecurity to identify security requirements
  • Select a Vendor who meets compliance requirements:
    • Understand how the potential Vendors will protect USNH and component institution data/information

Back to top

 

Once a Vendor has been identified

  • USNH Enterprise Cybersecurity Governance, Risk, and Compliance requests the opportunity to review any contracts or agreements between USNH or its component institutions and the Vendor as it relates to Information Security
  • This is to ensure the contract covers any applicable compliance requirements (e.g., FERPA, PCI-DSS, PII, HIPAA, GLBA)
  • If any of these compliance requirements are applicable, then the contract will need to include the USNH Data Security Addendum

Back to top

 

USNH Data Security Addendum

It is important the Vendor understand USNH requirements and their obligations. When planning to engage with a Vendor who will have access to, store, transmit, or process non-public USNH Information and/or USNH Information Technology (IT) Resources, the USNH Data Security Addendum must be included in the contract. 

The USNH Data Security Addendum aligns with the USNH Information Classification Policy and the Third-Party Information Security Standard, which can be found through searching "Third-Party Information Security Standard" on the Cybersecurity Policies & Standards page.  Vendors must be compliant with any and all regulatory requirements for the IT Resources or USNH Information they will have access to, store, transmit, or process.

Back to top

 

Definitions

FERPA: FERPA, which stands for Family Educational Rights and Privacy Act, is a “federal law that protects the privacy of student educational records.”

GLBA: GLBA, which refers to the Gramm Leach Blilley Act, is a federal law that “requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.” At USNH, GLBA is applicable to information provided for financial aid purposes.

HIPAA: HIPAA, which refers to the Health Insurance Portability and Accountability Act, is a federal law that mandates specific privacy and security requirements for handling and protecting personal health information (PHI).

Information Technology Resource: Any hardware, software, firmware, equipment, internet of things (IoT) devices, applications, information systems, etc. used to access, capture, store, process, utilize, integrate, interface with, transmit, or otherwise manage information.  

PCI-DSS: The Payment Card Industry – Data Security Standard (PCI-DSS) is a set of “operational and technical requirements” developed by the PCI Security Standards Council that defines required security practices for all “organizations accepting or processing payment transactions” or that develop information technology resources used to process them.

Personally Identifiable Information (PII): “Any information about an individual that can be used to distinguish or trace an individual's [sic] identify and any other information that is linked or linkable to an individual.”

PROTECTED Information: Tier 3 of the USNH Information Classification Framework which includes information requiring safeguards and specific privacy handling procedures. It includes student information and educational records protected under FERPA.

PUBLIC Information: Tier 1 of the USNH Information Classification Framework which includes information specifically approved by data stewards for public distribution.PUBLIC Information: Tier 1 of the USNH Information Classification Framework which includes information specifically approved by data stewards for public distribution (e.g., any information posted publicly on USNH websites - email addresses, name, department)

RESTRICTED Information: Tier 4 of the USNH Information Classification Framework which includes information requiring specific security controls. It includes personally identifiable information like SSN and passport number, credit card information, and research information.

SENSITIVE Information: Tier 2 of the USNH Information Classification Framework which includes information requiring that can be shared when there are valid purposes to do so, but that cannot be shared publicly. 

Vendor:  A third-party provider of an information technology resource or capability.

Back to top

 

Further Readings

USNH Data Security Addendum

USNH Information Classification Policy

Cybersecurity Policies & Standards  - Search for "Third-Party Information Security Standard"

 

Need additional help?

If you have any questions regarding any of the information on this page, please contact Cybersecurity.GRC@usnh.edu.

Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request.  For password issues you must call or visit the Help Desk in person.