Overview
In addition to conducting a technical review of any system or service that deals with institutional data or information security, CIS also assists in the contract review process to ensure those . Below is a summarized version of the specific things CIS is responsible for and their relative importance (this list omits many general contract review points that are addressed elsewhere in the institutional contract review process). A higher importance directly relates to the amount of time that will need to be spent in negotiation with the vendor if satisfactory language is not already present in the initial contract.
In very brief:
CIS’s technical and contract review ensures that vendors are protecting SPU and its constituents' data through technical and legally compliant processes, and that they are contractually liable to maintain those levels of protection.Subject | Description | Importance |
|---|---|---|
Data Ownership | SPU must contractually retain ownership of our data, and have a technically feasible method of having it returned to us at the end of the contract. | High Depends on sensitivity and uniqueness of the data in the system. |
Data Security | SPU’s data must only be used, stored, and processed in systems that will keep it secure from external access. | High Depends on sensitivity of the data in the system. |
Regulatory Requirements | Each classification of data must be handled in a manner compliant with any regulatory requirements placed on that data. | High |
Costs | Annual costs as well as any increases should be in alignment with industry standards. | Low |
Renewal Logistics | Renewal timelines for the service must allow for future system transitions without negative business impact. | Medium |
Technical Soundness | The technical operation of a system may require contractual assurances of its ongoing technical security, operation and performance. | High |