Vendor Contracts: Information Security and Privacy Considerations and Security Assessment Review

Information Security and Privacy Considerations for  UNH IT Vendor Contracts

Contracts for information technology services establish important expectations and requirements and must include assurances on the appropriate levels of information security controls and privacy protections based on the institutional information that will be captured, accessed, stored, processed, or otherwise managed by the vendor. Contracts for technology services, applications, systems, or products need to be handled via established procurement processes.  When UNH institutional information that is classified as sensitive or restricted will be managed or stored by a third-party, Information Security Services should be consulted during contract negotiations to ensure appropriate assurances are included to ensure that information is adequately protected.  


Security Assessment Review (SAR)

Third-party hosted technology  services, applications, systems, or products that will capture, access, store, process, or otherwise manage UNH institutional information must complete the Security Assessment Review (SAR) process to demonstrate adequate information security controls and privacy protections are in place to appropriately safeguard UNH's information.    

To determine if a review is required, please contact ISS.

Tips for Completing the SAR Process

  1. Instruct the vendor to fill out the questionnaire responses as completely as possible. All questions must be answered, references to supplemental documents or links to company or other websites will not be accepted.  Incomplete or missing responses will cause delays in the review. 
  2. Ask the vendor to provide as much supporting documentation as possible, examples include copies of the vendor's information security program, business continuity plan, certifications or audit results, and user agreement/terms of use agreement.
  3. When the vendor submits the questionnaire to you, go through and check to ensure all questions have been answered before sending to ISS.  Missing or incomplete responses will delay the review timeline.
  4. Allow 4-6 weeks to complete this process.

Contact ISS to obtain the current SAR documentation

Return to ISS Homepage


Article ID: 689
Fri 7/19/19 5:32 PM
Fri 7/19/19 5:32 PM