Vendor Relationship Information

Initial Vendor Relationship Requirements Ongoing Vendor Relationship Requirements
Previous Next

Starting Your Relationship with ASU

Information Security Contract Language

All systems containing ASU data must be designed, managed, and operated in accordance with information security best practices and in compliance with all applicable laws, rules, and regulations. To diminish information security threats, the university has included language in the standard terms and conditions of our purchase contracts to set expectations between ASU and outside vendors. Please view the ASU Standard Terms and Conditions to review the information security contract language.

Vendor IT Risk Assessment Process

All staff and faculty at ASU are responsible for the security of university systems, including any technology that we install or use. Before third-party technologies which process or access university data or systems can be procured, a Vendor IT Risk Assessment of each product must be completed. This assessment identifies third-party IT risk and provides recommended mitigating controls to lower the overall risk to university users, systems and networks. This process relies heavily on industry security standards and vendor-provided documentation as the basis for the risk assessment.

A VITRA will be required for any free or paid software, including cloud computing services, or any other software to be installed on the ASU technology network. This includes when:

ASU is purchasing or leasing software, or processing a software license or subscription renewal.

A third-party entity is:

  • Creating software code and providing it to ASU as licensed software purchased by ASU.
  • Receiving, storing or analyzing ASU data; including data which is not online.
  • Hosting, or managing by infrastructure outside of ASU, including in the cloud, ASU data.
  • Collecting personal identifiable information or ASU data via a link on an asu.edu or another ASU-managed webpage.

Vendor Evidentiary Documentation

Depending on the nature of data and applicable integrations that your product is expected to handle at ASU, you may need to provide the following documentation, if you possess them:

Any industry-standard security self-questionnaire, preferring but not limited to:

  • Educause HECVAT Full or Lite
  • Shared Assessments SIG Questionnaire

Any industry-standard security compliance audits or certifications, including but not limited to:

  • AICPA SOC 2 Type 2 or SOC 3 report or executive summary (SOC 2 and SOC 3 FAQs).
  • ISO 27001
  • NIST 800-53 or 800-171.
  • Center for Internet Security Controls
  • Cloud Security Alliance STAR
  • FedRAMP
  • CMMC
  • HIPAA compliance audit, if HIPAA data is in scope.
  • PCI DSS compliance audit or attestation or the details of your payment processor if you do not store or process PCI data yourself, if PCI data is in scope.

Any documentation on the vulnerability lifecycle of your product:

  • Penetration testing or vulnerability scanning report or an executive summary listing the number and severity of findings.*
  • Web application vulnerability assessment, scanning report or an executive summary listing the number and severity of findings; covering at least the OWASP Top 10 web application security risks.
  • Documentation of your vulnerability patching process and lifecycle.
  • Documentation of your secure software development life cycle.

*Only needed if you manage your servers. Not required if you are using server-less computing technologies — see below for more info about the shared responsibility model.

System architecture diagram or description:

  • Fully qualified domain names, IP addresses, ports, protocols, and encryption used by your internet-facing servers that will communicate with ASU endpoints or users.
  • Documentation on integration implementation, when applicable, including the level of permissions and authentication required.
  • Ability of your product to integrate with single sign-on technologies such as  Central Authentication Service, Shibboleth/Security Assertion Markup Language, or Active Directory Federation Services.**
  • If your product is hosted by an international cloud service provider, the ability to configure your product to only employ data centers located within the borders of the United States.

**If Shibboleth is available, we will ask if you are a member of the InCommon Federation (wiki).

Cloud Service Providers and You — The Shared Responsibility Model

Security audits, assessments, and certifications covering the infrastructure of your cloud service provider do not include the specifics of your product that you have created and are responsible for. This is known as the "shared responsibility model" and here are links to documentation on this topic, provided by a few common cloud service providers:  Amazon Web Services, Google Cloud Platform, Microsoft Azure.

Using the Vendor Portal within ASU’s ServiceNow Platform

The ASU VITRA process utilizes the Vendor Risk Management solution provided by ServiceNow and includes a simple Vendor Portal which you will access to provide documentation. Please watch this short 5-minute video to learn how you will use the Vendor Portal.

 

Maintaining Your Relationship with ASU

Vulnerability scanning and penetration testing

Vulnerability scanning and penetration tests must be performed to identify and remediate risks. Periodic scans, including penetration tests, for unauthorized applications, services, code and system vulnerabilities on the networks and systems. Scanning and pen testing is expected to be conducted in accordance with industry and ASU standards, as documented in NIST 800-115, or equivalent. Additionally, all web based applications (e.g. HTTP/HTTPS accessible URLs, APIs, and web services) are required to have their own web application security scan and remediation plan. As our vendor, you must correct weaknesses within a reasonable period, and you must provide proof of testing to ASU upon the request of ASU. 

Continuous Vendor IT Risk Assessments

As an active ASU vendor, you will be periodically re-assessed based on the outcome of the prior evaluation and the product’s overall risk to the ASU technology network. ASU will notify you when it is time to start a new assessment and you are expected to provide your most recent documentation.

Notifications

You must notify ASU immediately if your company receives any kind of subpoena for or involving ASU data, if any third party requests ASU data, or if your company has a change in the location or transmission of ASU data. All notifications to ASU required in the Information Security paragraph of the ASU Standard Terms and Conditions will be sent to ASU Cybersecurity at Infosec@asu.edu, in addition to any other notice addresses in your executed agreement with ASU.

 

Non-Disclosure Agreements

We understand the confidentiality of the security information that you are expected to provide. Should your company require a Non-Disclosure Agreement, please inform your ASU contact and we can start the process for our legal teams to negotiate. Only specific entities at ASU are authorized to execute NDAs between you and ASU, so we will coordinate negotiations with our legal counsel at ASU Industry Agreements.

Contact Information

Please contact ASU Cybersecurity at Infosec@asu.edu for additional information.

 

Get Protected | Arizona State University

Contact Us

About
About Us Inaccessible
Resources
Policies & Standards Remote Work Security Training
Services
DUO Two-Factor Incidence Response Password Services Vulnerability Management
Maps and Locations Jobs Directory Contact ASU My ASU
Repeatedly ranked #1 in innovation (ASU ahead of MIT and Stanford), sustainability (ASU ahead of Stanford and UC Berkeley), and global impact (ASU ahead of MIT and Penn State)
Copyright and Trademark Accessibility Privacy Terms of Use Emergency