Vendor Confidential Information Agreements and Addendums Recommendation
Vendor Confidential Information AgreementVendor Confidential Information Addendum
To ensure that WVU information resources are adequately protected when procuring products and services from external service providers, the Information Security Program is recommending that WVU Community Members consider level and type of third-party access to WVU resources and practices to limit or control such access.
We are recommending that the Confidential Information Agreement or Addendum documents be used when procuring a service or product (via formal contracting procedures or procurement card purchases) that will require vendors to access or use WVU information resources. Examples of situations that give vendors access to WVU resources include, but are not limited to, those that allow a vendor to
- login to a WVU application, system or server
- store, receive or transmit confidential or proprietary data,
- host Web pages or applications,
- work with (e.g., maintain, surplus, repair) hardware or components that contain confidential or proprietary information and / or
- work in an area that houses secure or restricted resources.
The purpose is to explicitly communicate the WVU security requirements of availability, confidentially and integrity to the third-party service provider. By communicating our security expectations to the third-party service providers we
- increase their awareness of our security requirements,
- attempt to reduce the risk that the service provider will disclose confidential
- or sensitive information, and reinforce WVU information security requirements.