Technology Contract Review
- Josh Kanehen
- Karl Law
Overview
In addition to conducting a technical review of any system or service that deals with institutional data or information security, CIS also assists in the contract review process to ensure that we are in compliance with relevant law and policy. Below is a summarized version of the specific things CIS is responsible for and their relative importance (this list omits many general contract review points that are addressed elsewhere in the institutional contract review process). A higher importance directly relates to the amount of time that will need to be spent in negotiation with the vendor if satisfactory language is not already present in the initial contract.
Additionally, CIS requires a copy of vendor’s HECVAT for review, so please request that of them as you begin evaluation of their service. Note: While the HECVAT is primarily for software systems, it also has relevant sections for consultants that will have access to SPU systems or data, so it needs to be filled ou by those parties as well.
In very brief:
CIS’s technical and contract reviews ensure that vendors are protecting SPU and its constituents' data through technically-sound and legally-compliant processes, and that they are contractually liable to maintain those levels of protection.
Subject | Description | Importance |
|---|---|---|
Data Ownership | SPU must contractually retain ownership of our data, and have a technically feasible method of having it returned to us at the end of the contract. | High Depends on sensitivity and uniqueness of the data in the system. |
Data Security | SPU’s data must only be used, stored, and processed in systems that will keep it secure from external access. | High Depends on sensitivity of the data in the system. |
Regulatory Requirements | Each classification of data must be handled in a manner compliant with any regulatory requirements placed on that data. | High |
Technical Soundness | The technical operation of a system may require contractual assurances of its ongoing technical security, operation, and performance. | High |
Renewal Logistics | Renewal timelines for the service must allow for future system transitions without negative business impact. | Medium |
Costs | Annual costs as well as any increases should be in alignment with industry standards. | Low |