Skip to main content

Service Provider Security Assessments

University schools and business units occasionally contract for information processing services with outside parties or service providers; of concern are those circumstances where service providers process or hold University data. While Northwestern University has taken steps to help ensure that its data is protected, service providers must also exercise appropriate controls to minimize the risk of exposing the data to potential unauthorized access and loss.

NUIT provides a Service Provider Security Assessment to:

The security assessment document is required in all instances where:

Performing an Assessment

The school or business unit provides the service provider with the cover letter, instructions for completing the security assessment, request for documentation, and security assessment documents. Service providers are encouraged to respond fully to the questions, and return the completed assessment and any supporting materials to the NUIT Consulting and Project Office for review and scoring. The results of the review are provided to the requesting school or business unit, the Office of General Counsel, and the Office for Audit and Advisory Services.

A workflow diagram is also available to give an overview of this assessment process.

Sensitive Data

Where the University's "Legally/Contractually Restricted" and "Internal" data is held or processed by a service provider, there is a potentially higher risk where unauthorized access or loss occurs, so additional weight is appropriately applied to those circumstances.

Non-Disclosure Agreements

The service provider may consider the information provided in response to the security assessment to be confidential, and a non-disclosure agreement may be requested. See Guideline for Northwestern University's Non-Disclosure Agreements for advice.

Last Updated: 16 February 2021

Get Help Back to top