Educause Security Discussion mailing list archives
Re: Confidentiality Agreement with third party vendor
From: Georgios Mousouros <georgios () EMAIL ARIZONA EDU>
Date: Tue, 26 Aug 2008 14:59:46 -0700
We have something in place. I hope it helps. 1. *Network Security*Vendor agrees to maintain network security at all times. At a minimum this includes: network firewall provisioning and intrusion detection.
2. *Data Security*Vendor agrees to protect and maintain the security of data. These security measures include maintaining secure environments that are patched and up-to-date with all appropriate security updates.
3. *Data Transmission*Vendor agrees that any and all transmission or exchange of data shall take place via secure means like HTTPS or FTPS.
4. *Data Storage*Vendor agrees that any and all data will be stored, processed and maintained on designated target servers and that no data at any time will be processed on or transferred to any portable or laptop computing device or any portable storage medium.
5. *Data Encryption*Vendor agrees to store all data as part of a designated backup and recovery process in encrypted form, using no less that 128 bit encryption key.
6. *Data Re-use*Vendor agrees that any and all data exchanged shall not be distributed, repurposed or shared across other applications, environments or business units. Vendor further agrees that no data of any kind shall be transmitted, exchanged or otherwise passed to other vendors or interested parties.
7. *End of Agreement Data Handling*Vendor agrees that upon termination of this Agreement, it shall erase, destroy and render all unreadable data unless otherwise specified. Vendor shall certify in writing that these actions have been complete within 30 days of the termination of this Agreement or within 7 days of the request of an agent, whichever comes first.
Vendor agrees to comply with all applicable laws that require the notification of individuals in the event of unauthorized release of Personal Identifiable Information (PII) or other event requiring notification. In the event of a breach of any of Vendor’s security obligations or other event requiring notification under applicable law, Vendor agrees to assume responsibility for informing all such individuals.
Jeff Holden wrote:
Do any of you have a confidentiality agreement they can share with me on or off list. I need one pertaining to a third party that is going to convert data from one format to another. All the confidentiality agreements I have found are more structured to business use or for research data. I want it to include clauses that data is only to be used for the intended purpose of converting formats, won't be transmitted unencrypted, won't be disclosed to anyone, will be disclosed to us if their security is breached, and that the data will securely be deleted after the process is complete and any other standard clauses needed to CMA.Thanks, Jeff Holden, CISSP, RHCE Manager, Network & Data Security Mt. San Antonio College (909) 594-5611 X5017
-- Georgios Mousouros Support Systems Analyst, Senior Information Security Liaison College of Social and Behavioral Sciences University of Arizona University Services Building 888 N. Euclid, Room 302 Tel: (520) 621-1596 Fax: (520) 626-2959 http://www.sbs.arizona.edu/security/
Current thread:
- Confidentiality Agreement with third party vendor Jeff Holden (Aug 26)
- <Possible follow-ups>
- Re: Confidentiality Agreement with third party vendor Mike Waller (Aug 26)
- Re: Confidentiality Agreement with third party vendor Georgios Mousouros (Aug 26)