What is a "vendor" or a "3rd-party service provider"?
A "vendor" or "3rd-party service provider" is an entity (e.g., a person or a company), separate from the University, that offers something for sale. The typical types of vendor services that require an ISO vendor security assessment are technologies used to store, process, and/or transport protected data on behalf of the University, such as:
- Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., Google bmail)
- Infrastructure as a Service (IaaS) providers - companies that provide hosted data storage or processing services (e.g., Amazon AWS)
These types of vendors are required to meet the same campus policy standards for the protection of protected data that is required for applications and services that are managed by internal campus IT resources.