Home / Policy Compliance / Vendor Relationship Information

Vendor Relationship Information

Initial Vendor Relationship Requirements

Information Security Office (ISO) Contract Language

All systems containing ASU Data must be designed, managed, and operated in accordance with information security best practices and in compliance with all applicable laws, rules, and regulations. To diminish information security threats ASU has developed the ISO contract in order to set expectations between ASU and outside vendors. To review the ISO contract language, click here.

Data Definitions:


Sensitive refers to information intended for limited use within the University by faculty, researchers, staff, students or University affiliates, including information that is regulated or must be protected due to proprietary or privacy concerns; e.g. private student records according to FERPA, personal health information (PHI) according to HIPAA, personally identifiable information (PII), according to state and federal laws and industry regulations or control systems related to critical infrastructure.

Unauthorized disclosure, compromise, or destruction would directly or indirectly have an adverse impact on the University, its students or employees. Violation of statutes, regulations, or other legal obligations, actual or potential financial loss, damage to the University’s reputation and possible legal action could occur.

Highly Sensitive

Highly Sensitive refers to information involving human health, life, and safety matters or hazardous materials situations. This information is intended for extremely limited use within the University on a need to know basis. Statutes, regulations, other legal obligations or mandates protect much of this information. Unauthorized disclosure, compromise or destruction would result in severe damage to the University, its students or employees or other individuals providing the information. Physical harm or endangerment, violation of legal obligations, actual or potential financial loss, damage to the University’s reputation and possible legal action could occur.

Security Review Process

The ASU security review process provides guidance to implement technology solutions efficiently while minimizing security risks. As an ASU technology vendor, you can expect to provide information and to participate in the security review process. More information about the security review process can be found here. Please work with your ASU contact for additional information which requires log-in access.

Ongoing Vendor Relationship Requirements

Scanning and Pen Testing

Scanning and Penetration tests must be performed to identify and remediate risks. Periodic scans, including penetration tests, for unauthorized applications, services, code, and system vulnerabilities on the networks and systems. Scanning and pen testing is expected to be conducted in accordance with industry standards and ASU standards (as documented in NIST 800-115 ) or equivalent. Additionally all web based applications (e.g. HTTP/HTTPS accessible URLs, APIs, and web services) are required to have their own web application security scan and remediation plan. Vendors must correct weaknesses within a reasonable period, and vendors must provide proof of testing to ASU upon ASU’s request. 

SOC2 Report 

SOC 2 was developed by American Institute of Certified Public Accountants (AICPA). The SOC 2 was created in part because of the rise of Cloud computing and the outsourcing of functions to service organizations. It addresses the demand for assurance of confidentiality and privacy of information processed by the system due to liability concerns. ASU requires a SOC2 Type 2 or substantially equivalent review in accordance with industry standards.  Reviews are subject to annual review by ASU upon ASU’s request.


Notify ASU immediately if Entity receives any kind of subpoena for or involving ASU Data, if any third party requests ASU Data, or if Entity has a change in the location or transmission of ASU Data. All notifications to ASU required in this Information Security paragraph will be sent to ASU Information Security at Infosec@asu.edu, in addition to any other notice addresses in this Agreement.

Contact information

Please contact Information Security at Infosec@asu.edu for additional information.