Service Provider Questionnaire

This questionnaire is for technology service providers to complete. Technology service providers include any vendor providing hardware, software, or a service to the college. It is highly recommended to provide these questions to the vendor in early discussions to avoid delays or possible late cancellations due to security concerns. Send this to the vendor representative you are in contact with and forward the results to informationsecurity@morainevalley.edu. The Information Security team will review the results and if the vendors answers yes to any of the questions, the Information Security team will provide a response including a risk analysis.

  1. List the security practices that are in place by the service provider:
    1. Is the vendor processing payments? If yes:
      1. PCI Compliance: Vendor must have and provide records of PCI compliance.
      2. Payment types: Will credit card terminals be used on site, payments made online, or both?
      3. Section two must be completed.
    2. If vendor is accessing, storing, or transmitting sensitive data? If yes:
      1. Security Posture: How is sensitive data managed, particularly in areas where forms collect user information, and comply with data protection regulations. Include information on multi-factor authentication, firewalls, encryption (at rest and in transit) and intrusion detection systems. Include history of Cybersecurity incidents.
      2. Data Privacy: Provide policies regarding the use or sale of user data, including marketing practices. Provide details on how user data is handled, and confirm that no data is sold or used for unauthorized purposes.
      3. Compliance: Describe your data privacy program and how it ensures compliance with U.S. federal and state laws, as well as international laws like, particularly in relation to personal data collection, storage, and processing.
      4. Confidentiality:  Describe how user access and permissions are managed.
    3. Does the vendor use equipment or services from the following companies?
      1. Huawei Technologies Company
      2. ZTE Corporation
      3. Hytera Communications Corporation
      4. Hangzhou Hikvision Digital Technology Company
      5. Dahua Technology Company
      6. AO Kaspersky Lab
      7. China Mobile International USA Inc.
      8. China Telecom (Americas) Corp.
      9. Pacific Networks Corp or ComNet (USA) LLC
      10. China Unicom (Americas) Operations Limited
      11. Kaspersky Lab, Inc

FERPA

When a vendor has access to FERPA-protected data, the vendor must be contractually designated as a "School Official":

MVCC designates VENDOR and its officers, employees, and agents involved in this engagement, as “School Officials” for FERPA purposes, and are subject to the following:

  1. VENDOR performs an institutional service or function MVCC would otherwise use employees to perform.
  2. VENDOR is under MVCC’s direct control with respect the use and maintenance of educational records.
  3. VENDOR is subject to FERPA restrictions on use and disclosure.
  4. VENDOR access shall be limited to personnel with documented legitimate educational interest necessary to perform the services under this agreement. Role based access and least privilege is used to ensure access is restricted.

Data Protection Obligations

1. Data Encryption: The Vendor agrees to implement and maintain appropriate administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of all non public personal information (NPI) provided by the Institution, in full compliance with applicable federal, state, and local data protection laws.

2. Use and Disclosure Restrictions: The Vendor shall use Moraine Valley Community College data solely for the purpose of providing contracted services and shall not disclose such information to any third party except as permitted by law or with prior written consent from the Institution.

3. Direct Control and Oversight: The vendor acknowledges that the Institution exercises direct control over the use and maintenance of Moraine Valley data and agrees to adhere to all applicable institutional policies and procedures governing data privacy and security. All MVCC data, including educational records and PII, remain the exclusive property of Moraine Valley Community College.

4. Incident Response and Notification: In the event of a data breach or security incident involving NPI, the Vendor shall notify the Institution within [X] hours of discovery and cooperate fully in the investigation, containment, and remediation of the incident.

5. Employee Training: The Vendor shall ensure that all employees and subcontractors with access to NPI receive appropriate training on data privacy and security obligations.

6. Audit Rights: The Institution reserves the right to request the Vendor’s compliance with this agreement, including inspection of security controls and review of relevant documentation, upon reasonable notice and completed by the vendor within 90 days.

7. Termination for Non-Compliance: The Institution may terminate this Agreement immediately upon discovery of the Vendor’s failure to comply with requirements or breach of this data protection clause.

Print Article