Aerial photo of NMU's campus and Marquette, MI

Vendor Privacy Policy


Vendor Privacy Policy

Purpose:
This policy protects university data when it is entrusted to a third party.

Applicability:
All university personnel who contract with vendors who store, process or transmit university data defined as ‘confidential’ by the university’s Data Classification Policy. 

Description:
As a condition of doing business or continuing to do business with NMU, vendors that store, process or transmit confidential data, must agree to the data protection criteria as provided in the university’s Vendor Privacy Agreement. Exceptions to this policy may only be granted by the University’s Committee on Information Security Operations.


The University has a responsibility to protect and secure its data.  NMU’s Information Technology Department upholds and facilitates this responsibility by working with university departments to ensure that systems are safe and secure and that they meet the university’s security standards.

Any vendor that provides the university with a system that stores, processes or transmits confidential data (see NMU’s Data Classification Policy) must sign the university’s Vendor Privacy Agreement (VPA). 

If you are planning to do business with a vendor that stores, processes, or transmits confidential data follow this procedure:

  1. Contact Bill Richards, wirichar@nmu.edu, (906) 227-2853 the IT Project Manager.  Bill will work with you and the vendor to obtain preliminary information. The general categories of information collected includes:
    1. The purpose of the system
    2. Whether payment processing is part of the system
    3. Determining the types of data collected, processed, transmitted, and/or stored
    4. The types of security assurances that the vendor will provide
  2. IT Project Manager will send the vendor a VPA for review and signature
  3. If the VPA must be modified for this purchase, the IT Project Manager will guide the purchaser through the process to request approval from the Committee on Information Security Operations (CISO). Typically, the CISO will assess either approve/deny the request based on the information provided or route the contract through external counsel so that it can be modified to provide appropriate protections. 

Note: Systems obtained outside of the scope of this procedure will not be allowed to connect to NMU systems, and will not be supported by NMU’s Information Technology Department.  NMU’s Committee on Information Security Operations retains final decision authority for systems that process, store or transmit confidential data.

Vendors that provide the university with systems that store, process, or transmit confidential data as defined by the university’s Data Classification Policy must sign the university’s Vendor Privacy Agreement and must comply with the following minimum security and operational guidelines in order to do business with the university:

 

1.0 Audit and Compliance

  1. If the system involves payment card processing, vendor must submit the following documents:
    1. Attestation of Compliance with Payment Card Industry Data Security Standards https://www.pcisecuritystandards.org/
    2. Statement from auditor for compliance with ISO/IEC 27001 or its equivalent standard including certification that the audit met the standard.
    3. Statement from auditor for compliance with SAS 70 / SSAE 16.
    4. Payment process flow diagram
  2. The university protects copyrighted material including university logos, emblems, images, and gif files; these must be used only with University approval.

 

2.0 Web Accessibility

  1. The university is committed to ensuring that no barriers exist to prevent interaction with, or access to, websites by people with disabilities. Vendor must demonstrate that the proposed solution conforms to or addresses each of the W3C's Web Content Accessibility Guidelines (WCAG) Level AA (including Level A).

Vendors must submit either a Voluntary Product Accessibility Template (VPAT) 2.0 based on WCAG 2.0 Level AA (https://www.w3.org/TR/WCAG20/) or an independent third party evaluation from a qualified accessibility consultancy.

 

3.0 Data Controls

  1. A data integration plan must be documented. Data elements coming from university systems and going into the vendor’s system and data elements being sent from vendor’s system to the university must be identified and documented.
  2. If university data is being updated, a description of how the updates are made must be provided for both an initial data load and ongoing data integration.
  3. Vendor is required to sign the university’s Vendor Privacy Agreement if system stores, processes or transmits confidential data.
  4. Vendor agrees not to sell or share university data with third party vendors.
  5. If payment processing is involved, vendor must use secure point to point data encryption methods that are listed as approved by the PCI (https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions)
  6. Vendor must provide capabilities for storing and processing full Legal Name and Preferred First Name if any name service (student name, employee name, etc.) is included in the solution.

 

4.0 Identity Management and Account Access

  1. Vendor must describe the method for login management, single sign on and integration. 

The system must meet the following identity access management standards:

  1. Login processes can authenticate using Single Sign On utilizing a custom authentication method or SAML 2.0+ if available. Active Directory, CAS, LDAP are not supported at this time.
  2. If the vendor does not support single sign on and is providing identity access accounts, the vendor must:
    1. Provide for a unique login identity and password that is encrypted in storage and at rest. Vendor will manage issuing login accounts, password attributes, password resets, minimum password length, password generation guidelines, password expiration, and other access identity management processes using standard industry practices for security and privacy. Describe in detail the following processes:

Creating, suspending and terminating accounts

Password resets

Password security protocols

Name changes

 

5.0 Technical and Network Architecture  

  1. Vendor must supply the following documentation if required: 
    1. Any and all firewall rules
    2. Custom domain names, email configurations, messaging integration, or other configurations required for successful network and communications connectivity to the system.
    3. A network architecture diagram that details traffic flows, any and all ports and protocols, and any and all communication requirements.
  2. If proposing an on-premise solution, vendor must provide high-level network and process flow diagrams and a description of the proposed architecture.
  3. Vendor may be required to provide a test environment available to the University for upgrades and ongoing testing and verification.
  4. Describe how upgrades are handled and university control of the timing of upgrades. If proposing a cloud or software-as-a-service solution, provide a cadence for planned outages including time zone considerations for Eastern Time Zone.
  5. Vendor must provide timely notification of required security patches.
  6. Describe storage and record limits associated with the proposed solution. Describe when additional storage or record purchases are necessary. If proposing a cloud or software-as-a-service solution, describe limitations for storage and archival of data.

 

 

7.0 Communications

Email, SMS and Push Notification - if system includes email:

  1. If applicable, solutions must:
    1. Comply with the Telephone Consumer Protection Act and Can-Spam Act
    2. Comply with Google's Bulk Senders Guidelines.
    3. Have a valid MX, A, and PTR record for email servers.
    4. Comply with Common Internet Message Headers.
    5. Stay within the single user limits outlined in Google G Suite Sending Limits.
    6. Allow the application administrator to disable specific email messages.
    7. If system involves push notifications system must integrate with the university's mobile app.

Systems purchased outside of the scope of these guidelines will not be allowed to connect to the NMU network, and will not be supported by NMU’s Information Technology Department.  NMU’s  Committee on Information Security Operations retains final decision authority for the use of  systems that process, store or transmit confidential data.

See Vendor Privacy Agreement Procedure for information about the process for implementing a system that stores confidential data.   

Date Approved:12-12-2019
Last Revision:12-12-2019
Last Reviewed:12-12-2019
Approved By:President
Oversight Unit:INFORMATION TECHNOLOGY-TECHNICAL SERVICES
Attached form file: Vendor Privacy Agreement.pdf