Third Party Contracts
- Guidelines -
1. Does the service access, process or store University Data?
Upon termination, cancellation, or expiration of the AGreement, for any reason, Contractor shall cease and desist all uses and disclosures of Compliant Data or Business Sensitive Information and shall immediately return or destroy (if the University gives written permission to destroy) in a reasonable manner all such information received from the University, or created or received by Contractor on behalf of the University, provided, however, that Contractor shall reasonably cooperate with the University to ensure that no original information records are destroyed. This provision shall apply to information that is in the possession of subcontractors or agents of Contractor. Contractor shall retain no copies of University information, including any compilations derived from and allowing identification of any individual’s confidential information. Except as provided in Section 3(B), Contractor shall return (or destroy) information within 30 days after termination, cancellation, or expiration of this Agreement.
In the event that Contractor determines that returning or destroying any such information is infeasible, Contractor shall provide to University notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of such information is infeasible, Contractor shall extend the protections of this Agreement to such information and limit further uses and disclosures of such information to those purposes that make the return or destruction infeasible, for so long as Contractor maintains such information.
Contractor shall wipe or securely delete Compliant Data or Business Sensitive Information and personally identifiable information furnished by the University from storage media when no longer needed. Measures taken shall be commensurate with the standard for “clearing” as specified in the National Institute of Standards and Technology (NIST) Special Publication SP800-88: Guidelines for Media Sanitization, prior to disposal or reuse.
The respective rights and obligations of contractor to return or destroy compliant and/or business sensitive information shall survive the termination of this agreement.
Unless otherwise stated in the agreement, all Compliant Data or Business Sensitive
Information is the property of the University and shall be turned over to the University upon request.
Contractor shall not amend or replace hardware, software or data without prior authorization of the University.
If mobile devices are used in the performance of this Agreement to access University Compliant Data or Business Sensitive Information, Contractor shall install and activate authentication and encryption capabilities on each mobile device in use
A. Student information
The UMS and its contractors are entrusted to protect student personal information (non-directory information). This includes students’ educational records. Any system that processes or stores student data should be reviewed for FERPA compliance (http://www.maine.edu/system/infosecurity/FERPA1.html).
Use the following clause when a contract involves student data:
If information pertaining to student educational records is accessed, transferred, stored or processed by Contractor; Contractor shall protect such data in accordance with FERPA.
B. Financial information (including credit card payments)
UMS departments accept payment via credit/debit cards. Protecting against theft or other misuse of cardholder information (i.e. Name, Credit/Debit Card Number, CVV or PIN Number) provided to the UMS or its vendors on behalf of the UMS is of the utmost importance. Certain language is required for e-commerce transactions processing credit cards. However if the University is engaging in additional credit card processing, APL IV-F (UMS Credit/Debit Card Standards) needs to be followed.
Use the following clauses, as needed, when a contract involves financial data:
If Contractor engages in electronic commerce on behalf of the University or cardholder data relating to University activities is accessed, transferred, stored, or processed by Contractor, Contractor shall protect data in accordance with the Payment Card Industry Data Security Standard (PCI DSS).
If information pertaining to protected “Customer Financial Information” is accessed, transferred, stored or processed by Contractor; Contractor shall protect such data in accordance with GLBA.
Contractor shall use strong encryption and certificate-based authentication on any server hosting on-line and e-commerce transactions with the University ensuring the confidentiality and non-repudiation of the transaction while crossing networks.
C. Health Information
All individually identifiable health information that is in any form whether electronic, paper, or oral needs to be protected. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). To view University of Maine System’s HIPAA Polices please reference the link: http://www.maine.edu/system/usc/hipaa/index.php
Any system or service processing health information must be closely scrutinized. Besides HIPAA compliance, THE HITECH ACT MAY REQUIRE A SEPARATE BUSINESS ASSOCIATE AGREEMENT (BAA). Consult with University Counsel.
Use the following clause when a contract involves personal health information (PHI):
If information pertaining to protected health information is accessed, used, collected, transferred, stored or processed by Contractor; Contractor shall protect such data in accordance with HIPAA and Contractor shall sign and adhere to a Business Associate Agreement.
2. Will the service be housed at the University or hosted with a contractor offsite?
New systems that are housed at the University will require a risk assessment to ensure that the system and the facility that contains the system offer adequate protections.
A. If a system is hosted by a contractor, an understanding of how the information is transmitted, processed and stored is needed to safeguard the confidentiality and integrity of the information. An understanding the limits imposed on access of the data is also required.
Use the following clauses for data stored on the contractor’s computers:
Contractor shall ensure that any agent and/or subcontractor, to whom it provides University data received from, or created or received by Contractor on behalf of, University, adheres to the same restrictions and conditions that apply through this Agreement to Contractor with respect to such data, including, but not limited to, the implementation of reasonable and appropriate safeguards. Contractor remains responsible for making sure their agent or subcontractor complies with the requirements of the Agreement.
Contractor shall provide reasonable and adequate protection on its network and systems to include firewalls and intrusion detection/prevention
Contractor shall control access to University data. All contractor employees shall be adequately screened, commensurate with the sensitivity of their jobs. Contractor agrees to limit employee access to University data on a need–to-know basis. Contractor shall provide initial and annual information security awareness training to all employees who interface with University data. Contractor shall impose a disciplinary process for employees not following privacy procedures. Contractor shall have a process in place to remove access to University data immediately upon termination of any contractor employee.
Contractor shall host University data on computers housed in secure areas that have adequate walls and entry control such as a card controlled entry or staffed reception desks. Only authorized personnel shall be allowed to enter and visitor entry will be strictly controlled.
Contractor shall use strong encryption and certificate-based authentication on any server hosting on-line and e-commerce transactions with the University to ensure the confidentiality and non-repudiation of the transaction while crossing networks.
The installation or modification of software on systems containing University Compliant Data or Business Sensitive Information shall be subject to formal change management procedures and segregation of duties requirements.
Contractor who hosts University Compliant Data or Business Sensitive Information shall engage an independent third-party auditor to evaluate the information security controls not less than every two years. Such evaluations shall be made available to the University upon request.
Reporting of Unauthorized Disclosures or Misuse of Information: Contractor shall report to the University any use or disclosure of Compliant Data or Business Sensitive Information not authorized by this Agreement or in writing by the University. Contractor shall make the report to the University not more than one (1) business day after Contractor learns of such use or disclosure. Contractor’s report shall identify; (i) the nature of the unauthorized use or disclosure, (ii) the information used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what Contractor has done or shall do to mitigate the effects of the unauthorized use or disclosure, and (v) what corrective action Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. Contractor shall provide such other information, including a written report, as reasonably requested by the University. Contractor shall keep University informed on the progress of each step of the incident response. Contractor shall indemnify and hold University harmless from all liabilities, costs and damages arising out of or in any manner connected with the security breach or unauthorized use or disclosure by Contractor of any University Compliant Data or Business Sensitive Information. Contractor shall mitigate, to the extent practicable, any harmful effect that is known to Contractor of a security breach or use or disclosure of Compliant Data or Business Sensitive Information by Contractor in violation of the requirements of this Agreement. In addition to the rights of the Parties established by this Agreement, if the University reasonably determines in good faith that Contractor has materially breached any of its obligations, the University, in its sole discretion, shall have the right to:
- Inspect the data that has not been safeguarded and thus has resulted in the material breach, and/or
- Require contractor to submit a plan of monitoring and reporting, as the University may determine necessary to maintain compliance with this agreement;
- and/or Terminate the Agreement immediately.
B. If the data system provides a required live function or is the original storage repository of any particular set University data, does the contractor provide adequate controls to ensure the availability of the data?
Use the following clauses to protect against environmental protections:
Contractor shall design and apply physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disasters. Contractor shall protect hosted systems with Uninterruptible Power Supply (UPS) devices sufficient to meet business continuity requirements.
Contractor shall backup systems or media stored at a separate location with incremental back-ups at least daily and fill back-ups at least weekly. Incremental and full back-ups shall be retained for 15 days and 45 days respectively. Contractor shall test restore procedures not less than once per year.
3. Is software development work being provided by the contractor?
Use the following clauses when a third party is providing software development:
Any personally identifiable information or data covered under law, regulation, or standard such as HIPAA, FERPA, or PCI, shall not be used in the development or test environments. Records that contain these types of data elements may be used if that data is first de-identified, masked or altered so that the original value is not recoverable.
For programs that process University data, initial implementation as well as applied updates and modifications must be produced from specifically authorized and trusted program source libraries and personnel.
Contractor shall provide documentation of a risk assessment of new system development or changes to a system
4. Are contractor personnel under University management direction?
Use the following clauses when a third party is being directed by UMS:
Contractor employees who accesses University systems will initially and annually participate in the University’s Information Security awareness training unless the Contractor provides equivalent or greater awareness training.
Contractor who access University systems shall agree to the University’s Acceptable Use Policy.
5. Are there any requirements for interface with other systems or that require data from other systems?
For non-standard contracts insure that the contract is reviewed by University Counsel. Use the appropriate Information Security clauses. The Office of Information Security will assist you with selecting the appropriate clauses.