Purpose:

To specify security requirements for the acquisition of information technology products and services in which University of Florida Data is stored, processed or transmitted by an entity not under control of the university. Typically this covers outsourced services, server hosting, Managed Service Providers (MSPs), Software as a Service (SaaS), Infrastructure as a Service (IaaS) and “Cloud” computing services.

Standard:

  1. Service Level Agreements will address the following topics to the satisfaction of the university, based upon the needs of the project:
    1. Availability
    2. Data preservation and destruction after termination of service
    3. Backups
    4. Intellectual property considerations
    5. Remedies for failure to perform
  2. Externally-hosted applications and services used by the university must authenticate users using Gatorlink SSO, unless the primary user base includes those not eligible to obtain Gatorlink accounts.
  3. External IT Vendors that will store, process or transmit Restricted Data must:
    1. Sign a Data Security Agreement stating their responsibility to protect University of Florida Data; comply with all UF Security Policies and Standards as well as applicable laws and regulations; screen and monitor personnel; and specifying legal liability.
    2. Provide external validation of the vendor’s compliance with required controls. This validation can consist of a reliable third-party audit, certification, attestation, or an assessment conducted by the university.
    1. Sign a Data Security Agreement stating their responsibility to protect University of Florida Data; comply with all UF Security Policies and Standards as well as applicable laws and regulations; screen and monitor personnel; and specifying legal liability.
    2. Provide external validation of the vendor’s compliance with required controls. This validation can consist of a reliable third-party audit, certification, attestation, or an assessment conducted by the university.
  4. External IT Vendors that will store, process, transmit or otherwise have access to Protected Health Information must sign a Business Associate Agreement.
  5. Periodic review of vendor’s controls and continued compliance will be conducted as needed, based upon significant changes to the use of the system, system design or controls, and at least every two years for projects that store, process or transmit Restricted Data and every three years for all other projects..
  6. Documentation of evaluations, assessments and reviews must be retained according to university records retention schedules and applicable laws.

 

References:

SEC-RM-001: Information Security Risk Management Policy

Revision Date

Description

 

Policy originally adopted

 Aug 1, 2022

Policy updated