My unit is contracting with a 3rd-party service provider to host campus PL1 classified data. How can the vendor be assessed to meet campus security policies in the absence of ISO resources?
Units can ensure that 3rd-party service providers meet the campus data security policy requirements for the handling of Protection Level 1 (PL1) data through the following actions:
- Be sure to include the UCOP Data Security & Privacy Appendix (link is external), required for all UC contracts involving 3rd-party access to protected data, without edits, in the service provider contract. This ensures baseline protection for the University in the event of a data breach, including:
- Service provider compliance with applicable laws (e.g., FERPA, HIPAA), regulations and campus policy.
- Requirements for a vendor information security plan and breach reporting process.
- Adequate cyber-insurance to cover the cost of investigating and responding to a breach.
- Notify the service provider that by signing off on the Data Security & Privacy Appendix, they are obligated to abide by campus policy, including adherence to the requirements of the UC Berkeley Minimum Security Standard for Electronic Information (MSSEI) policy for the protection of PL1 data.