When is a vendor review required?
IT Compliance recommends all third-party vendors with access to UVA data be reviewed; this includes both cloud vendors and consultants (this includes consultants accessing data which does not leave UVA). However, according to the University Data Protection Standards 3.0, only vendors handling sensitive, highly sensitive, or mission critical data must be reviewed by UVA IT Compliance before the product or service is purchased and/or used. If a vendor is currently in use at UVA but you will be applying a new use case (sharing new data), business purpose, or contract, the vendor should undergo an additional review.
What are other opportunities to request a review?
- System Integration Requests
- When you wish to integrate new or existing services with O365 or other services provided by Central ITS
- These reviews may also involve making a request to ITS Solutions
- IRB Data Security Plan Reviews
- IT Compliance should be consulted if the team will handle Highly Sensitive Data as part of a study that is under review by the IRB for SBS
- IT Compliance should be consulted if the team plans to use a web-based resource not managed by the University (as seen here)
- Static IP on the AON
- If you request a static IP on the AON through ServiceNow, the request will be routed to IT Compliance for review
- Requests for Exceptions to Policies
- If you request a Policy Exception through ServiceNow, the request will be routed to IT Compliance for review
- Additional Requests
- Netbadge integrations
- New storage for Sensitive or Highly Sensitive Data
- Provisioning of servers allowing access to UVA data
- These reviews may also involve making a request to ITS Solutions
How can I request a review?
Instructions for requesting a review can be found here.
How long do reviews typically take?
This can vary depending on the responsiveness of the vendor. If a vendor is responsive and replies to requests for information and documentation in a timely fashion, then a review can take as little as five business days. On the other hand, if a vendor takes multiple weeks to reply to questions, a review will take much longer. Information Security reviews often require extensive back-and-forth, so the responsiveness of a vendor has a significant impact on the overall time it takes to perform a review.
Under what circumstances should I involve Procurement?
Please work with Procurement to ensure you have the appropriate contract with the vendor and, if needed, that the contract has a Data Protection Addendum. Procurement can assist in getting a contract even with a zero dollar purchase order.
What is the Data Protection Addendum and does it need to be part of the contract?
The Data Protection Addendum (DPA) ensures vendors fulfill their contractual obligations in accordance with University policy and local, state, and federal laws and regulations. Inquiries about the DPA may be sent to the IT Compliance team of the University Information Security office at [email protected]