Research Security Requirements–Purchasing New Applications


Overview

research security requirements
 

secure mobile devices button

Purchasing New Applications

When acquiring technology or software from an external vendor, it’s important to ensure the vendor has been properly evaluated for trustworthiness. Depending on your purchasing method, this assessment may be built into the procurement process. If not, you are responsible for confirming that your vendor is approved before moving forward.

Required Agreements

Information Assurance: Michigan Medicine (IA:MM) requires that all technology services or investments include an Information Systems Contingency Plan (ISCP), a signed Data Security Agreement (DSA) and a Business Associate Agreement (BAA) before receiving IA or CISO approval. IA:MM will not approve Shared Responsibility Agreements (SRAs) or grant provisional approvals without these documents in place as it provides the designated Signatories with assurance that a risk-based security assessment has been performed, that required documentation has been verified, that security controls are in place at the appropriate level, and that the Michigan Medicine Chief Information Security Officer has authorized the investment to operate.

If you’re uncertain whether to engage the HITS Contracts team, visit the Contracts and Procurement section of HITS InSite for guidance. Divisions not using HITS contracting processes should contact their local Procurement Office and the Office of the General Counsel (OGC).

Your diligence in sharing and following this process helps protect institutional security and maintain project timelines. More information is available in DS-20.

_____________________________________________________________________________________________________________________________

Is the vendor pre-approved?

A vendor only needs to be reviewed once unless the data classification for your project is higher than a previous approval. For example: If Elsevier was approved for Moderate data, it would only need reassessment for High data—not for another Moderate data use.

If you are using a pre-approved vendor, the vetting work has already been completed. You can find the List of Pre-Approved Vendors on the bottom left of the Trusted Service Provider (TSP) Resources page.
_____________________________________________________________________________________________________________________________

Is the vendor security certified?

Many vendors demonstrate their trustworthiness through formal security certifications. Providing a copy of the vendor’s certification can speed up the approval process.

Typical security assurances recognized at Michigan Medicine include HITRUST, SOC2 Type II, and ISO 27001.

Vendor Security Assessment

shopping cart

Third Party Vendor Assessment - Third Party Vendor assessments are required based on guidance in U-M Standard: Third Party Vendor Security and Compliance (DS-20).

  • Vendor Security Assessment (VSQ), CORL Assessment (Vendor who provides assessment services on behalf of Michigan Medicine) are terms that may be used to describe this artifact. 
  • Assessments of Third-Party vendors are based on security and regulatory standards such as but not limited to NIST 800-53 and HIPAA; documentation and other assurances are required as a part of the assessment.
  • If a Third-Party vendor has a valid security assurance this may meet the DS-20 Requirement.

What if I haven't chosen a vendor yet?

If you're still in the process of choosing a vendor, you will not be able to complete your assessment. However, you can ask for a Preliminary Vendor Confidence Report during the vendor selection process to see which vendors have better security practices. Request a Preliminary Vendor Confidence Report here

 

How to request a Vendor Security Assessment

Request your Vendor Security Assessment as early as possible.

If a vendor is ultimately denied, any technology from that vendor will be blocked from the Michigan Medicine network, even if it has already been purchased. Researchers are responsible for ensuring that all technology purchases are appropriately assessed.

HITS or one of the Trusted Service Provider (TSP) groups can assist with this process.

  • If Procurement flags your purchase for assessment, they will contact Academic Applications on your behalf.
  • Procurement only acts as a checkpoint—they do not own the vendor assessment process.
  • In all other cases, you should contact HITS directly.

Request a consultation with HITS.

___________________________________________________________________________________________________________________________

What happens after the vendor is approved?

If the application is hosted by the vendor (i.e., the vendor provides their own infrastructure), no additional steps are required once approval is granted. Examples of hosted applications include Shinyapps.io, PaperPile, and Benchling.

Your TSP will notify you when approval is complete, and you may begin using the application.

If the application will be hosted on the Michigan Medicine network (for instance, on a HITS virtual machine or MCloud), you must also complete the steps outlined in the Developing New Applications section before final approval.