UNH Vendor Contracts Security Questionnaire Process

Rev 12/20/2013

Table of Contents

  1. Executive Summary
  2. Examples of Appropriate Uses for the Vendor Contracts Security Questionnaire Process
  3. Objectives
  4. Recommended Process Outline
  5. Special Cases
  6. Roles and Responsibilities
  7. Typical Timeframes
  1. Executive Summary

University employees, departments and organizations are responsible for protecting university information from unauthorized access and modification. When university information is placed into non-UNH computer systems, stored in non-UNH facilities, or handled by non-UNH persons, it is subjected to unknown risks. Those who are responsible for appropriate handling of such information must understand what type of information is involved, what level of protection it requires, what are the risks to the information and how those risks will be mitigated. Two important resources are available to help answer these questions.

1.)The USNH Data Classification Policy defines information into three primary categories which include “Public”, “Sensitive” and “Restricted”.The policy is posted in the UNH On-Line Policy Manual (OLPM) and UNH Information Security Services (ISS) is available to help interpret it.Public information should at minimum be protected from unauthorized modification;sensitive information should be protected from unauthorized access, use and modificationto the extent determined by university officials; and restricted information must be protected according to applicable legal requirements.

2.)The UNH Vendor Contracts Security Questionnaire and review process help identify risks associated with information being placed into non-UNH systems and/or handled by non-UNH persons. The full questionnaire should be used for sensitive information and must be used for restricted information. The short version of this questionnaire may be used for public information.

ISS is available to assist with the Vendor Contracts Security Questionnaire process. Due to the large number of service arrangements and contracts that the university maintains, service and contracts managers are encouraged to plan ahead, begin the process several weeks before the desired completion date, and allow extra time for delays that may be caused by respondents not answering the questions appropriately and periods when many questionnaires may already be in progress. The service and contract managers are also encouraged to participate in and contribute to the process. Doing so builds an understanding, speeds up the process and results in a more timely and higher quality review.

  1. Examples of Appropriate Uses for the Vendor Contracts Security Questionnaire Process

1.)Required

  1. Non-UNH service provider storing UNH information in non-UNH systems
  2. Software As a Service from a non-UNH service provider
  3. Non-UNH service provider having administrative access to UNH information and/or UNH systems
  4. UNH employees or organizations storing university information in non-UNH systems
  5. UNH organizations providing a locally developed service with restricted information

2.)Recommended

  1. UNH organization implementing a third party solution on UNH systems
  2. UNH organization providing a locally developed service with sensitive information
  3. Service/contracts that required initial security review and changed significantly

3.)Special cases

  1. Public UNH information stored in non-UNH systems or handled by non-university persons
  2. Existing services that involve storing of university information in non-UNH systems and/or handling of such information by non-university persons
  1. Objectives

1.)Risk assessment (good industry practice and required by privacy laws and industry standards)

2.)Determine whether service will be consistent with university policies

3.)Provide a foundation for a security plan for the service

4.)Clarify responsibilities for protecting the service/information

5.)Ensure that customary information security contractual language is included

6.)Document due diligence

  1. Recommended Process Outline

1.)Submit request for the review at via email to . ISS will advise whether conducting a security review is needed/recommended.

2.)Schedule a call between the intended respondent(s), ISS, and the primary contact of the department/organization that will be responsible for the service/contract.

3.)Provide a copy of the questionnaire to the intended respondents and request target dates so that ISS can schedule review(s) in advance.

4.)ISS review of completed questionnaire.

5.)Schedule a follow up call with the respondents to discuss any outstanding questions. Participation in the call depends on the type of questions that are outstanding.

6.)Respondents provide target dates for updating the outstanding questions

7.)Repeat process to review and update the outstanding questions, if necessary.

8.)Respondents pool all answers in a single document, attach applicable exhibits, and sign the questionnaire.

9.)Department/organization that is responsible for the service/contract ensures that the questionnaire is referenced in the contract and that agreed upon actions/recommendations are completed.

10.)ISS will retain a copy of the final questionnaire for future reference.

  1. Special Cases

1.)Public UNH information stored in non-UNH systems

Storing public information in non-UNH systems typically involves a lower risk than storing sensitive or restricted information in those systems. However because unauthorized modification of public information and compromise of computer account credentials that are used to manage it can result in harm, due process is recommended to ensure that important considerations are not overlooked. In recognition of the reduced risk, an abbreviated version of the Vendor Contracts Security Questionnaire is available. The objectives of the reduced process include the following:

a.)Document the decision that the information is public

  1. Who made the decision
  2. How was it made

b.)Consider potential risks

  1. What would be the consequences of unauthorized modification
  2. What would be the consequences of account compromise

c.)Document that the service will be provided in compliance with university policies

  1. Educate service provider about UNH policies
  2. A high level statement from provider regarding good security practices

2.)Existing services

In recognition of the fact that some contracts and service arrangements with external service providers precede the Vendor Contract Security review process, ISS recommends that UNH contract and service administrators/managers/owners work with ISS to complete the Vendor Contract Security process in the following situations:

a.)Prior to renewing the contract or service arrangement

b.)For services that were explicitly recognized as involving restricted information

c.)For services that were recognized as involving unacceptable risk

d.)Services that experienced a security incident

e.)Others as identified through dialogue with USNH Purchasing, a UNH BSC director, ISS, Internal Audit, and/or USNH Legal Counsel

  1. Roles and Responsibilities

1.)ISS

  1. Provide guidance on which situation should and/or must include a security review.
  2. Maintain an understanding of university policies and accepted processes/standards.
  3. Develop and maintain tools to facilitate the review.
  4. Analyze completed questionnaires.
  5. Provide an opinion regarding consistency with university policies and practices.
  6. Provide recommendations.
  7. Document the completed process.
  8. Improve the process based on experience and feedback.

2.)Department or Organization responsible or contracting for the proposed service

  1. Contact ISS in a timely manner to allow for reasonable scheduling of the review.
  2. Provide a primary point of contact to ISS. Help ensure that respondents answer questions.
  3. Help identify others who must contribute to the answers, if the respondent is not appropriate to answer them.
  4. Schedule conference calls between ISS and the respondents.
  5. Maintain a high level understanding of progress, key issues and assist with addressing outstanding items where appropriate.
  6. Ensure that final version of questionnaire and accepted recommendations are included in the contractual arrangement.

3.)Senior Leadership

  1. Guide decisions regarding situations where residual concerns about security conflict with business need.
  2. Understand and accept risk where business need outweighs security concerns and a decision is made to proceed with the proposed service.
  1. Typical Timeframes

The following timeframes are based on past experience with successful reviews and are provided as a general guideline. Respondents providing complete answers to all questions and providing additional and/or supportive documentation – for example, a copy of their information security program, user agreement, most recent certification or audit results – will typically complete the review in far less time than shown here.

Eight weeks prior to target date for process completion

1.)Notify ISS; fill out the request form

Seven weeks prior to target date for process completion

1.)Conference call with respondent

2.)UNH service/contract manager fills out appropriate components of the questionnaire

Six weeks prior to the target date for process completion

1.)Respondent (Vendor) returns the questionnaire with answers

2.)UNH service/contract manager reviews the questionnaire for completeness

Five weeks prior to the target date for process completion

1.)ISS reviews respondent answers

2.)ISS provides recommendations to UNH service/contract manager

Four weeks prior to the target date for process completion

1.)UNH service/contract manager returns the questionnaire to respondent, if necessary

2.)Respondent provides target date for re-submission of updated answers

Three weeks prior to target date for process completion

1.)Respondent returns questionnaire to UNH service/contract manager

2.)UNH Service contract manager reviews updated answers for completeness

Two weeks prior to target date for process completion

1.)ISS reviews respondent answers and provides final recommendations to UNH service/contract manager

One week prior to target date for process completion

1.)UNH service/contract manager returns the questionnaire to respondent for signature

2.)UNH service/contract manager includes appropriate language in contract or service agreement referencing the questionnaire and attaches the completed questionnaire as an exhibit