Research Security Requirements–Buying New Applications


Overview

research security requirements
 

secure mobile devices button

Buying New Applications

Whenever you are buying technology from an external vendor, the vendor itself needs to be assessed for trustworthiness. Depending on your purchase method, this might be included in the purchase process. If it is not, you are responsible for making sure your vendor is approved.

Effective immediately, Information Assurance (IA) requires that all services or investments must have both a completed and signed Data Processing Agreement (DPA) and a Business Associate (BAA) before receiving IA/CISO approvals. Previously, exceptions allowed for deployments to begin before contract finalization, but this practice is no longer viable. Prior to starting any service or technology contract, teams must ensure all agreements, including BAAs and DPAs, are finalized. IA will not approve Shared Responsibility Agreements (SRAs) or grant provisional approvals without these essential documents.

If you're unsure about. engaging with the HITS Contracts team, check the Contracts and Procurement section of HITS InSite for guidance. For divisions not using HITS Contracting processes, contact the relevant Procurement office and the Office of the General Counsel (OGC). Your assistance in sharing this update with stakeholders is crucial for managing project timelines and expectations effectively, ensuring process integrity and institutional security. Additional details can be found in DS-20.

Is the vendor pre-approved?

A vendor only needs to be approved once unless a higher data classification is needed (e.g. Elsevier has been approved for Moderate data and will need to be reassessed for a new researcher with High data, but not a new researcher with Moderate data). If you use a pre-approved vendor, the work has already been done.

List of pre-approved vendors.

Is the vendor security certified?

Some vendors will proactively prove their trustworthiness by getting a security certification. If you can get a copy of a vendor's certification, that will expedite the vendor's approval.

Some common certifications seen in Michigan Medicine are HITRUST, SOC2, and ISO 27001.

Vendor Security Assessment

shopping cart

If the vendor is not approved yet, you will need to do the Vendor Security Assessment. If the vendor has a security certification, the certification will be used in the assessment. If not, Information Assurance will require the vendor to complete a security questionnaire, depending on the data classification. High and Restricted for all data types, and Moderate FERPA data require questionnaires. Low data and other types of Moderate data do not require a questionnaire. Based on the data gathered in the assessment, the vendor will be approved or denied.

The time to get approval is mostly dependent on how quickly the vendor completes the questionnaire. On average, research requests take 4-8 weeks to complete.

 


What if I haven't chosen a vendor yet?

If you're still in the process of choosing a vendor, you will not be able to complete your assessment. However, you can ask for a Preliminary Vendor Confidence Report during the vendor selection process to see which vendors have better security practices. Request a Preliminary Vendor Confidence Report here

 


 

 

How to request a Vendor Security Assessment

The sooner that you can request a Vendor Security Assessment, the better. If a vendor is denied, then anything from that vendor will be blocked from the network, regardless of whether money has been spent or not. It is your responsibility as a researcher to make sure your purchases are assessed properly.

HITS or one of several Trusted Service Provider groups (TSP) help researchers with their Vendor Security Assessments. HITS can help you find the appropriate group. If Procurement flags a purchase for assessment, they will contact Academic Applications for you. Procurement does not own this process; they are merely a checkpoint for many other processes. In all other situations, you will need to contact HITS yourself.

Request a consultation with HITS.

What happens after the vendor is approved?

If the application is hosted by the vendor, meaning the vendor provides their own infrastructure to run the application, no other requirements are necessary. Some examples of hosted applications are Shinyapps.io, PaperPile, and Benchling. Your TSP will notify you of the approval and you will be able to use the application.

If the application will be hosted on the Michigan Medicine network (for example, on a HITS VM or using MCloud), you will also need to complete the requirements in the Building New Applications section before your application is approved to use.