I. General
Depending on the nature of the service and classification of the data involved, Third Party or Cloud Services procurement can be complex and can take a fair amount of time. Please review the Standards and Guidelines for Procuring Cloud or Third Party Information Techology Services in order to make sure you understand your responsibilities.
II. Overview
Owner of a proposed service should ensure that the following departments are made aware of the desire for the service as early as possible.
- Information Security Office: Due-diligence security checks need to occur on all cloud procurements involving Confidential or Controlled information, or for any mission critical system.
- Procurement Office: Determine whether the dollar amount or nature of the service requires request for proposals (RFP's) or bids. Contact the Procurement office if you require guidance.
- Office of University Compliance and Legal Affairs: If no formal procurement process is required, once a vendor is selected, obtain the contractual language from the prospective vendor and provide it to the University Attorney for review. If a formal procurement process is required, Procurement Services will coordinate the contract review with Legal Affairs. If a Purchase Order is going to be issued, please make your vendor's aware of UTA's standard terms and conditions.
- Office of Information Technology – If there are any integration points, or resources required from OIT, then make sure that OIT Project Management Office has been contacted.
The above process will ensure that appropriate approvals; adequate risk mitigation, data roles and responsibilities, and billing (if any) have been considered and established. An additional benefit of this process is to obtain the best price or performance, avoid unnecessary licensing costs, and aid with choosing Cloud Services that can be supported and even customized.
III. Procurement Planning
While the Office of Procurement, Legal Services, Information Security Office and Office of Information Technology can work concurrently and cooperatively on a particular acquisition, it will take time to review and approve. Please do not wait until the end of the fiscal year to request a review of the service, as this is generally a peak period for all departments and will risk procurement delays.
IV. Procedure for the Sponsoring Department
You are encouraged to reach out to the Information Security Office as early in the fiscal year as possible.
- Log onto Service Now and Request Software Purchase Approval.
- Complete the Information Security Sponsoring Department Procurement Questionnaire found below in the forms section below.
- OIT and ISO will determine if the institution already offers an equivalent service. If one exists, then OIT will work with you to determine if you or your department can take advantage of the agreement that is in place.
- If you determine that UT Arlington data will be created, transferred, manipulated or otherwise handled on the service then have the vendor complete the Contracting Party Attestation of Information Security Practices (below).
V. Procedure for Vendor or Third Party
To expedite the due-diligence review, please do the following:
- Complete the Information Security Rider Contracting Party Attestation of Information Security Practices found below in the forms section.
- Include a SOC 2 report (or an independent information security audit report).
- A copy of your organizations incident managment/handling procedures.
- If there are data transfer requirements from UTA to your organization, include documentation that details the list of fields.
If any of the above information needs to be covered by a mutual non-disclosure agreement, please send a copy of the agreement to security@uta.edu or download our standard agreement below.
VI. Updates and modifications to this document
This document will be modified as necessary to address changes in technology, processes and identified risks, and is intended to complement, and does not supersede, relevant UT System or UT Arlington policies and procedures governing the security of University data. In the absence of specific policies, policy statements found in this document will stand as provisional until such time that it is incorporated into a HOP policy or procedure. Significant changes to this guideline will be announced to Information Security Administrators and/or in the MavWire.
VII. Forms
Please submit the latest version of these forms electronically.
- To be completed by sponsoring/requesting department - Information Security Project Questionnaire for Cloud Services (Version 1.4)
- To be completed by the Vendor or Third Party - Information Security Rider Contracting Party Attestation of Information Security Practices (version 1.3).
VIII. Mutual Non Disclosure Agreement Template
Vendors or third parties may use UT Arlington's Mutual Non Disclosure Agreement Template if there are concerns about the confidentiality of the information being requested during our due-diligence assessments. Please send the completed/redlined document to security@uta.edu. We will then forward it to our legal affairs for final approval and signature.
IX. Revisions
| Version | Date | Changes |
|---|---|---|
| 1.0 | 11/22/2016 | Initial Publication |
| 1.1 | 2/24/2017 | Minor revision to Section II. Updated to clarify when Legal Affairs should be involved |
| 1.2 | 9/7/2018 | Clarified this procedure applies to both Third Party and Cloud Services. Updated procedure. |