Purpose
To specify security requirements for the acquisition of information technology products and services in which University of Florida Data is stored, processed or transmitted by an entity not under control of the university. Typically this covers outsourced services, server hosting, Managed Service Providers (MSPs), Software as a Service (SaaS), Infrastructure as a Service (IaaS) and “Cloud” computing services.
Standard
- Service Level Agreements will address the following topics to the satisfaction of the
university, based upon the needs of the project:- Availability
- Data preservation and destruction after termination of service
- Backups
- Intellectual property considerations
- Remedies for failure to perform
- External IT Vendors that will store, process or transmit Restricted Data must:
- Sign a Data Security Agreement stating their responsibility to protect University of
Florida Data; comply with all UF Security Policies and Standards as well as
applicable laws and regulations; screen and monitor personnel; and specifying legal
liability. - Provide external validation of the vendor’s compliance with required controls. This
validation can consist of a reliable third-‐‑party audit, certification, attestation, or an
assessment conducted by the university.
- Sign a Data Security Agreement stating their responsibility to protect University of
- External IT Vendors that will store, process, transmit or otherwise have access to Protected
Health Information must sign a Business Associate Agreement. - Periodic review of vendor’s controls and continued compliance will be conducted as
needed, based upon significant changes to the use of the system, system design or controls,
and at least every two years for projects that store, process or transmit Restricted Data and
every three years for all other projects. - Documentation of evaluations, assessments and reviews must be retained according to
university records retention schedules and applicable laws.
References
SEC‑RM‑001: Information Security Risk Management Policy