Vendor Privacy

Date Approved:12-12-2019
Last Revision:12-12-2019
Last Reviewed:12-12-2019
Approved By:President
Oversight Unit:INFORMATION TECHNOLOGY-TECHNICAL SERVICES
This policy has a related procedure. Click to view the procedure below.
This policy has a related guideline. Click to view the guideline below.
Purpose

This policy protects university data when it is entrusted to a third party.

Applicability

All university personnel who contract with vendors who store, process or transmit university data defined as ‘confidential’ by the university’s Data Classification Policy. 

Policy

As a condition of doing business or continuing to do business with NMU, vendors that store, process or transmit confidential data, must agree to the data protection criteria as provided in the university’s Vendor Privacy Agreement. Exceptions to this policy may only be granted by the University’s Committee on Information Security Operations.


Vendor Privacy Policy Procedure

Procedure

The University has a responsibility to protect and secure its data.  NMU’s Information Technology Department upholds and facilitates this responsibility by working with university departments to ensure that systems are safe and secure and that they meet the university’s security standards.

Any vendor that provides the university with a system that stores, processes or transmits confidential data (see NMU’s Data Classification Policy) must sign the university’s Vendor Privacy Agreement (VPA). 

If you are planning to do business with a vendor that stores, processes, or transmits confidential data follow this procedure:

  1. Contact Bill Richards, wirichar@nmu.edu, (906) 227-2853 the IT Project Manager.  Bill will work with you and the vendor to obtain preliminary information. The general categories of information collected includes:
    1. The purpose of the system
    2. Whether payment processing is part of the system
    3. Determining the types of data collected, processed, transmitted, and/or stored
    4. The types of security assurances that the vendor will provide
  2. IT Project Manager will send the vendor a VPA for review and signature
  3. If the VPA must be modified for this purchase, the IT Project Manager will guide the purchaser through the process to request approval from the Committee on Information Security Operations (CISO). Typically, the CISO will assess either approve/deny the request based on the information provided or route the contract through external counsel so that it can be modified to provide appropriate protections. 

Note: Systems obtained outside of the scope of this procedure will not be allowed to connect to NMU systems, and will not be supported by NMU’s Information Technology Department.  NMU’s Committee on Information Security Operations retains final decision authority for systems that process, store or transmit confidential data.