Cloud Software Contract Requirements
ITS currently reviews all Software as a Service or Cloud software vendors for security compliance in the case of software selection and contract renewals. This review is a result of the changing nature of data and software security, internal and state legislative audit findings, and an evolving regulatory environment with regard to sensitive information. SIUE has a responsibility to protect certain classifications of information such as credit data (PCI), SSN’s, health data (PHI), and criminal data(CJI). The review is to assist the data steward in making a risk decision on behalf of SIUE for protecting the data the steward is responsible for. This data may be encumbered by regulation and classified by SIUE policy as sensitive. This review verifies that the vendor has some accountability for security controls and processes and shares liability in the case of a determined data breach. Since SIUE cannot extend its security perimeter to include direct participation or influence in hiring decisions, configurations, software choices, and business processes of an outsourced vendor, this compliance review represents due diligence in confirming vendor claims and establishing shared liability in handling SIUE classified data outside of the university security perimeter.
When selecting vendors for cloud service or software service outside of the infrastructure of SIUE, the university needs contractual guarantees that the vendor will protect SIUE sensitive information up to the standards that SIUE is required by law and best practice. When selecting a cloud or software as a service vendor, consider the followings items if the vendor is going to be storing via upload or handling SIUE data classified as sensitive or protected:
- A clear statement of data ownership – that SIUE owns the data and is able to get a usable copy in an easily exportable format at any time during the contract and at termination of the contract.
- A data breach notification policy or contract statement that SIUE will be notified within 24 hrs or by regulatory requirements within knowledge of the breach. This is an Illinois State law covered by PIPA.
- Access to an SSAE-16, SSAE-18, SOC2, PCI attestation, BAA, HECVAT, or third party security audit report. Because SIUE does not own this classified data, is granted access to this data only for the purposes of contract review, and the potential damages to the vendor, the limits of insuring against such damages, and the risk mitigation cost to maintain this highly sensitive data, SIUE does not store vendor owned security data onsite.
- Access or verification of the vendor’s data backup policy.
These items must be provided by the vendor for consideration by ITS before a vendor or contract can be approved by ITS. These requirements only apply if the vendor will be storing or handling sensitive information and are not required in the case of database access subscriptions or services where SIUE sensitive data is not uploaded or generated.
Software contracts must also be reviewed for Export Control requirements. If there are export control restrictions, then the users of the software must be reviewed to ensure compliance with the restrictions. These restrictions must be communicated in writing to the SIUE Purchasing Office, the requesting Department Director, the Legal Office, and the Office of Research and Projects.
