For any DePaul covered data (as defined by the Information Security Policy - https://policies.depaul.edu/policy), to be hosted as a service by an external vendor, whether the data is furnished by DePaul or collected on the vendor site or through entry by DePaul constituents, care must be taken to ensure that the vendor secures this data in an appropriate manner.
Agreements between DePaul and outside services where the service provider hosts or has access to DePaul covered data must have a contract in place, regardless of the dollar amount of the contract. The Director of Information Security must be notified to review the anticipated use and handling of DePaul data and to interview the provider on controls implemented.
Service providers should be asked for an independent opinion on the security and controls environment. The SSAE18 (Statement on Standards for Attestation Engagements No. 18) is an attestation standard geared toward an independent auditor providing a statement on the control environment of a service provider. It is becoming an industry standard for service providers to provide this to their clients.
If the service provider does not have an SSAE18, the following questions should be raised with them:
If the service that will be provided involves the user of credit cards, determine if the provider is Payment Card Industry Data Security (PCI-DSS) certified.
The following elements (if applicable) should be specified contractually between DePaul and the service provider.