This scope of this policy covers information accessed or held by third parties on behalf of University of Wisconsin-Whitewater. Outside service providers must guarantee the security of their IT systems and University data. This includes, but is not limited to, access by:
The security of University information should be protected when this information is outsourced or otherwise in the custody of third parties. University data should be afforded the same level of protection (or greater) while in the custody of third parties as it is when in the custody of the University.
UW-Whitewater manages technology systems which store university data in electronic form. It is the responsibility of the university to manage electronic data with appropriate safeguards and to protect the data from unauthorized access, modification, distribution or destruction.
University organizational units may have a need to contract with a third-party vendor to supply IT services; some of these services may include the storage of university data at a remote location managed by the vendor.
In general, it is not recommended to use IT solutions that store data on a system not managed by the university or UW System. The university's ability to meet its responsibility to safeguard and protect electronic data is diminished when the data are managed by a third-party. Before entering into an agreement for IT services involving vendor-managed data storage, a department must first justify that the need cannot be met effectively on campus and then consult with ICIT to evaluate the security standards of the vendor's system prior to signing a contract. When determining the need for outsourcing, elements of risk, cost, benefits, and timeliness will be considered in consultation with the appropriate data custodian(s).
Contract language should require the vendor to provide the following:
University of Wisconsin-Whitewater student information that is shared with a third party is considered confidential information and shall be used only for the purposes agreed to in writing between the University and the third party. The third party shall not share or disclose the information with any other third party outside of the purposes stated in the written agreement unless written consent from the appropriate University authority is obtained. Third parties will be required to indemnify and hold the University harmless for any loss, cost, damage or expense suffered by the University as a direct result of the third party's failure to comply with the requirement not to release information, except for the sole purposes stated in the written agreement. The third party shall agree to either destroy the student information in a manner that completely protects the confidentiality of the student information or return the information to the University upon the expiration of the agreement.
ICIT has a responsibility to evaluate third-party IT systems to ensure appropriate safeguards are in place to protect from unauthorized access, modification, distribution or destruction of University data. Additionally, ICIT will maintain policies, procedures and guidelines that may ensure the security of the University's electronic information.
Operational Procedures define ICIT's services, expectations, and role as part of the campus community.