Information Technology Security & Privacy

The use of third-party service providers offers opportunities for cost savings and valuable services, but it can also increase risk to the university if those service providers have access to university data. The university attempts to mitigate this risk in several ways.

• A data protection addendum, also called a security addendum, developed by Procurement Services, ITS, and the Office of the General Counsel. The addendum should be attached to all contracts where a service provider accesses, processes, or maintains any type of institutional data.
• A third-party vendor security and compliance assessment developed by ITS Information and Infrastructure Assurance. The assessment, which includes the U-M service provider security-compliance questionnaire (UMSPSCQ), should be completed by a service provider if they access, process, or maintain sensitive institutional data.

Procurement Services facilitates the execution of the data protection addendum and the appropriate use of the supplier security and compliance assessment.