Like many other higher education institutions, LSU has seen growth in the number of campus units contracting with third party firms for IT based services. An obvious outgrowth of that trend is that an increasing amount of University data and information is being stored outside of the direct control of employees of the University. To address this trend and protect University data, language has been developed to help campus units ensure that the security of University data and information is addressed in both the contract language and process of acquiring third party services.
The uses of this language are several. They include, but are not limited to,
- Used as a checklist in internal discussions regarding service requirements or bid development
- Used as a guide to security questions that can be posed to vendors being considered to provide hosted IT services
- Used to ensure contracted third parties understand that they are held to the same standards as LSU employees with respect to the security of protected information
- Included in whole or in part in contract terms for hosted IT services
- Used by data stewards in making decisions on data release requests from other campus units engaging hosted IT services
- For analysis of free Web-based services
The language should not be considered all-encompassing in cases where highly sensitive data is involved, nor is it appropriate to use the language in its entirety in all hosting contracts. Certain types of data may be of such sensitivity as to require even more stringent protective language, while in the case of less sensitive data the full language may be excessive and jeopardize or delay the acquisition of services unnecessarily.
Questions regarding this language and its use should be directed to the ITS Security and Policy Group, firstname.lastname@example.org. Questions regarding language in contracts under current negotiation should be directed to the Office of Purchasing.