Information Security Requirements for Institutional Information Held by Third Parties (ISR-3)
Published: June 1, 2022
Compliance Required: September 1, 2022
Per the procedures defined in the Information Security for Institutional Information Policy (IT-8), this Information Security Requirement ("ISR") for Institutional Information Held by Third Parties has been published Drexel University or its subsidiaries or affiliates ("Drexel") to better protect Drexel information.
Institutional Information may only be held or processed by third parties—including paid-for or "free" cloud-based, off-campus, or on-campus services managed by an entity other than Drexel—for which Drexel IT has approved the provider to handle such data for specific purposes and only while the service provider is under contract with Drexel for the service.
Organizations and individuals wishing to have a third party hold or process Institutional Information may seek approval of the third party to handle specific Institutional Information for specific purposes.
Except when working with Controlled Unclassified Information (CUI) or Export Controlled information (ECI), iindividuals at Drexel engaged in research led by another institution may, with appropriate documentation, use third-party service(s) approved by the lead institution for the research.
Appropriate document includes a signed memo from the Principal Investigator asserting that the third-party services to be used by the research project are permitted for use by the P.I.’s institution, technology control plan, or data management plan. The documentation should be maintained by the individual at Drexel.
Note: The above Research Exception does not apply to Controlled Unclassified Information (CUI) or Export Controlled information (ECI). Working with CUI or ECI requires additional safeguards which are overseen by the Office of Research and Innovation research compliance team. Contact them at firstname.lastname@example.org for guidance before using third-party services not approved by Drexel for data information types.
Requests to consider approval of a third party for the handling of specific Institutional Information for specific purposes must be submitted to Drexel IT via the Third Party Risk Management process.
Approvals, if granted, will allow the organizations and individuals to provide specific Institutional Information to the third party for specific purposes.
A new approval must be requested each time:
- Different and/or new services are to be provided by the third party;
- Type of data stored/processed/transmitted by the third party changes (for instance from non-sensitive to sensitive data);
- Significant changes are made to the systems or controls; or
- The location where data is stored changes (for example, from Drexel on premises storage of data to third-party cloud storage).
Using third parties to hold or process Institutional Information without prior approval is a violation of this ISR.
Any violation of this Information Security Requirement by any Applicable Member shall be construed as a violation of the Information Security for Institutional Information Policy (IT-8) and may result in disciplinary action up to and including termination.