Educause Security Discussion mailing list archives

Re: transferring data to vendors/outsourced services


From: "Grama, Joanna Lyn" <jgrama () PURDUE EDU>
Date: Tue, 20 Jan 2009 10:18:11 -0500

The Educause Security Task Force recently put out some documentation on
"Data Protection Contractual Language:  Common Themes and Examples" that
might be worth looking at.



It is available on the IT Security Guide at:
https://wiki.internet2.edu/confluence/display/secguide/Home;jsessionid=02862
E5AAB6D4286747A612E90432E4E



Regards,

Joanna Grama







Joanna Lyn Grama, J.D., CISSP
ITaP Networks and Security
Purdue University
Phone: 765-496-3970
E-mail: jgrama () purdue edu





From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theresa Rowe
Sent: Monday, January 19, 2009 5:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] transferring data to vendors/outsourced services



Our process is to have the vendor respond to a questionnaire - that is
posted at http://www2.oakland.edu/uts/policies.cfm#outsourcing under the
paragraph Outsourcing, Hosted Solutions and Application Service Providers
click on the word Standards.  We have university staff who are engaging the
contract review the Checklist document.

These materials go with the contract or license to our General Counsel, who
may incorporate the Standards as completed by the vendor as an exhibit to
the contract.  Based on the vendor's responses, some additional protections
may be written into the contract by our General Counsel.

Theresa Rowe



On Mon, Jan 19, 2009 at 11:24 AM, Witmer, Robert <r.witmer () snhu edu> wrote:

I am looking for a policy or "checklist" to be considered for vendor/third
party data transfers.  The policy/checklist might include provisions for
secure data transfer, the vendor's use of the information, vendor's data
storage/protection of the information, etc.



Also, who (management, data owner, InfoSec, other, all) has the
authority/responsibility to initiate, approve and implement data transfers
to third-party vendors?



Thank you for your contribution.

Bob Witmer

r.witmer () snhu edu




--
Theresa Rowe
Chief Information Officer
Oakland University

Attachment: smime.p7s
Description:


Current thread: