Re: transferring data to vendors/outsourced services

[Theresa Rowe <rowe () OAKLAND EDU>]

Our process is to have the vendor respond to a questionnaire - that is
posted at http://www2.oakland.edu/uts/policies.cfm#outsourcing under the
paragraph *Outsourcing, Hosted Solutions and Application Service Providers*
click on the word Standards.  We have university staff who are engaging the
contract review the Checklist document.

These materials go with the contract or license to our General Counsel, who
may incorporate the Standards as completed by the vendor as an exhibit to
the contract.  Based on the vendor's responses, some additional protections
may be written into the contract by our General Counsel.

Theresa Rowe


On Mon, Jan 19, 2009 at 11:24 AM, Witmer, Robert <r.witmer () snhu edu> wrote:

>  I am looking for a policy or "checklist" to be considered for
> vendor/third party data transfers.  The policy/checklist might include
> provisions for secure data transfer, the vendor's use of the information,
> vendor's data storage/protection of the information, etc.
>
>
>
> Also, who (management, data owner, InfoSec, other, all) has the
> authority/responsibility to initiate, approve and implement data transfers
> to third-party vendors?
>
>
>
> Thank you for your contribution.
>
> Bob Witmer
>
> r.witmer () snhu edu



--
Theresa Rowe
Chief Information Officer
Oakland University