DEPARTMENT: Information Technology & Services / POLICY DESCRIPTION: Information Security – Vendor Information Security Agreement
PAGE:1 of 3 / REPLACES POLICY DATED: 2/15/10, 5/15/10, 12/1/10
EFFECTIVE DATE: September 1, 2011 / REFERENCE NUMBER: IS.SEC.008
APPROVED BY: Ethics and Compliance Policy Committee
SCOPE: This policy applies to all Company-affiliated facilities, all Corporate Departments and all Divisions.
PURPOSE: This policy is designed to create a standard process when engaging information technology or clinical system vendors in order to help ensure that vendors do not introduce security risks to our Companynetwork and systems. This policy also helps protect the Company against costly data breaches potentially caused by vendors who have access to our data.
POLICY:
1.Information Technology or clinical system vendorswho connect to our Company network, provide us computer-based services over a network (application service providers or ASPs), or who access or store our data, must sign an Information Security Agreement(ISA), available on Atlas,or equivalent agreement, which requires certain security controls to be in place in order to protect our systems and our data. The Information Security Standard, Third Party Contracts – COM.TPM.01, includes more detailed information about inclusions and exclusions (or global exceptions) to the ISA requirement. Any exceptions to this ISA requirement will be handled through Corporate Information Security, in accordance with the Information Security Risk Acceptance and Accountability Policy, IS.SEC.009.
2.This policy applies only to new vendors and/or new products purchased from existing vendors. This excludes product updates or upgrades which are covered under an existing maintenance agreement. However, Information Security reserves the right to enforce this policy for existing vendors in cases where there are known security incidents or deficiencies, audit issues, vendor-related system or data breaches, or other circumstances where Corporate Information Security has identified a high risk to Company systems or data. When vendor contracts are renewed, Corporate Information Security may require that an updated ISA form is signed.
3.Corporate departments, Divisions, and Company affiliated facilities may allow vendors to change aspects of the ISA, or use a vendor-supplied contract, if the contract is reviewed and approved by:
a)Legal counsel;
AND
b)The Director of Information Security Operations (or Division Information Security Official (DISO)) in conjunction with Corporate Information Security, as appropriate.
4.The ISA or equivalent agreement and other contractual documents must be signed by both parties before any vendor products or services are paid for, or before any vendor systems are placed on the Company network, or before any Company data is given to the vendor.
PROCEDURES:
1.IT&S Vendor Contracts. The Corporate IT&S Contracting group handles all IT&S contracts.

2.Division / Facility Vendor Contracts. Divisions and facilitiesmay contract with vendors for certain Division-level or facility-level contracts. These are handled either by the Division Executive Office, or through the Division IT Service Center (ITSC). ITSC contracts must be in compliance with the procedures defined by the IT&S Finance and Administration group (posted on Atlas and included in References).

a.Please note: the referenced ISA template is designed for use in IT&S contracts and is not customized for use in Division or facility contracts. Certain legal terms (e.g., legal name) MUST be reviewed and edited before the contract can be legally binding. If a vendor is engaged at more than one Division or facility, it may be appropriate to have the ISA executed by IT&S.

3.Required Roles. For Division andFacility level contracts, the following roles must be involved in the vendor negotiation/contracting process:
  1. The DISO;
  2. Legal counsel;
  3. Person at facility or Division authorized to sign legal contracts (e.g., Facility CEO or CFO); and
  4. Business owner impacted by purchase of vendor product or service (where applicable).
4.Authorized Signer. The ISA must be signed by a person who is authorized to sign contracts for the legal entity listedon the first page of the ISA.
5.Accompany New or Existing Master Agreement. The ISA template needs to be accompanied by, or associated with, a new or existing master agreement. There are terms in the legal portion of the ISA Template that refer to terms in the IT&S Master Agreement. The Corporate IT&S Contracts Department provides its own master agreements for the contracts that they sign. Division and facility master agreements may vary, depending on facility or division purchasing procedures.
6.Legal Entities. The ISA must reflect the name of the actual legal entity that is entering into the contract. In most cases, this will be the same legal name that is on the master agreement or master contract.
REFERENCES:
  1. Information Security Agreement – Atlas site
  2. Information Security Risk Acceptance and AccountabilityPolicy, IS.SEC.009
  3. DBC&BD Contracting Guide
  4. Business Associate Agreement Atlas site
  5. Finance & Administration: Division Contracts