Technology Contract Review

Owned by Josh Kanehen
Last updated: Jun 19, 2024

Overview

In addition to conducting a technical review of any system or service that deals with institutional data or information security, CIS also assists in the contract review process to ensure that we are in compliance with relevant law and policy. Below is a summarized version of the specific things CIS is responsible for and their relative importance (this list omits many general contract review points that are addressed elsewhere in the institutional contract review process). A higher importance directly relates to the amount of time that will need to be spent in negotiation with the vendor if satisfactory language is not already present in the initial contract.

Additionally, CIS requires a copy of vendor’s HECVAT for review, so please request that of them as you begin evaluation of their service. Note: While the HECVAT is primarily for software systems, it also has relevant sections for consultants that will have access to SPU systems or data, so it needs to be filled ou by those parties as well.

In very brief:

CIS’s technical and contract reviews ensure that vendors are protecting SPU and its constituents' data through technically-sound and legally-compliant processes, and that they are contractually liable to maintain those levels of protection.

Subject

Description

Importance

Subject

Description

Importance

Data Ownership

SPU must contractually retain ownership of our data, and have a technically feasible method of having it returned to us at the end of the contract.

High

Depends on sensitivity and uniqueness of the data in the system.

Data Security

SPU’s data must only be used, stored, and processed in systems that will keep it secure from external access.

High

Depends on sensitivity of the data in the system.

Regulatory Requirements

Each classification of data must be handled in a manner compliant with any regulatory requirements placed on that data.

High

Technical Soundness

The technical operation of a system may require contractual assurances of its ongoing technical security, operation, and performance.

High

Renewal Logistics

Renewal timelines for the service must allow for future system transitions without negative business impact.

Medium

Costs

Annual costs as well as any increases should be in alignment with industry standards.

Low