When institutional data is to be shared with a third party (e.g., an information technology cloud provider), Policy DM-02 "Disclosing Institutional Information to Third Parties" requires the department involved to take proactive steps to be aware of and reduce the risks associated with sharing the information.
Responsibility: The Requester is responsible for marshalling the 3PA process.
- Submit a Software & Services Selection Process (SSSP) form; then, if directed by the SSSP...
- Seek Data Steward approval by submitting a Data Handling Request (DHR) to begin a Third-Party Assessment (3PA).
- If the Data Stewards require a UISO targeted risk assessment, obtain the appropriate higher Education Cloud Vendor Assessment Tool (HECVAT) from the 3rd party.