Third Party Security Requirements
Stanford takes seriously its commitment to respect and protect the privacy of its students, alumni, faculty and staff, as well as to protect the confidentiality of information important to the University's academic and research mission.
For that reason, Stanford has identified three categories of non-public information for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect the information against unauthorized access. The categories are listed in this table.
Stanford expects all partners, consultants and vendors to abide by Stanford's Guidelines for Data Classification, Access, Transmittal and Storage ("Guidelines"). Prior to performing Services which require access to, transmission of and/or storage of the University's Prohibited or Restricted information, Vendors should provide a third party attestation verifying their ability to comply with Stanford Guidelines. Third party attestation examples include: PCI DSS certification, ISO 27002 certification, OWASP Application Security Verification Standard certification, SAS 70 Type II or its successor the SSAE-16. Depending on the type of data, provisions must be in place for encryption during transport to and from the ASP. Additionally, if Stanford information is to be accessed or shared with these third parties, the contract with the Agent must include this clause:
Contractor agrees to handle data and other information ("Data") with a standard of care at least as rigorous as that specified in the University's guidelines for Data Classification, Access, Transmittal and Storage ("Guidelines"), located at http://dataclass.stanford.edu/, and the University's policies concerning information security, which can be found at https://adminguide.stanford.edu/chapter-6/subchapter-3/policy-6-3-1 and which are hereby incorporated by reference into the Agreement. Prior to performing Services which require access to, transmission of and/or storage of the University's Prohibited or Restricted information, Contractor will provide a third party certification verifying its ability to comply with the Guidelines. Contractor will not copy, cause to be copied, use or disclose Data received from or on behalf of the University except as permitted or required by the Agreement, as required by law, or as otherwise authorized by the University in writing. Contractor will give immediate notice to the University of any actual or suspected unauthorized disclosure of, access to or other breach of the Data. In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the Data, Contractor will comply with all state and Federal laws and regulations related to such breach, and will cooperate with the University in fulfilling its legal obligations. Contractor will indemnify the University for its violation of this paragraph, including but not limited to the cost of providing appropriate notice to all required parties and credit monitoring, credit rehabilitation, or other credit support services to individuals with information impacted by the actual or suspected breach. Upon termination or expiration of the Agreement, Contractor will return or, at the University's election, destroy, the Data within 30 days from the conclusion of the Agreement. This paragraph and its indemnity will survive the termination of the Agreement.
If a third-party vendor will be engaging in financial services on behalf of Stanford University or on the Stanford campus, the contract must also include this clause:
Vendor agrees to handle data and other information generated from financial transactions involving the Stanford community ("Data") according to Payment Card Industry Security Standards (PCI DSS) Compliance standards, https://www.pcisecuritystandards.org/security_standards/index.php, if applicable, or using secure standard financial industry practices, if PCI DSS standards are not applicable. Stanford reserves the right at any time to request either proof of PCI DSS compliance or a certification (from a recognized third-party security auditing firm) verifying Vendor uses secure standard financial industry practices in its financial transactions, and maintains ongoing compliance under PCI DSS standards and/or secure financial industry practices as they change over time. Attachment __ provides a list of payment applications Vendor will use to conduct financial transactions under this Agreement; Vendor will provide 30 days notice prior to adding or removing any payment applications. Vendor will comply with all laws relating to the collection, use, storage, protection and breach of Data, including but not limited to the California Money Transmission Act. Vendor warrants that it will not use any Stanford system in connection with financial transactions under this Agreement, and without limiting the foregoing, further warrants that it will not store or transmit Data using Stanford's system. Vendor will give immediate notice to the University of any actual or suspected unauthorized disclosure of, access to or other breach of the Data. The parties agree that Vendor is entirely responsible for Data generated under this Agreement and Vendor will indemnify the University for its violation of this paragraph. This paragraph and its indemnity will survive the termination of the Agreement.
Please contact your manager and/or the University Privacy Officer with any questions about the appropriate classification of information. Please contact Purchasing with questions about contract requirements. Please contact the Chief Information Security Officer with any questions about appropriate protection of information.