ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
Instructions for the UMN Information Security Questionnaire for Selecting IT Solutions/Services
2
PurposeThese questions provide a standard approach for units across the University of Minnesota to evaluate the security controls of IT service providers/vendors either for purchase or free license. Many of the questions are common with the Big Ten Academic Alliance security questionnaire for vendors. Depending on the service/product offered or the security level identified by the unit.
Tab 2 (Screening Questions) is intended to identify basic information security controls for initial screening of vendors, prior to more detailed questions. These questions apply to most information technology services or vendors.
Tab 3 (Finalist Questions) is intended to identify detailed security controls before final selection of vendors. Some questions may not be relevant to all information technology services.
3
When to useUniversity of Minnesota units are encoraged to use these questions as the basis for due diligence investigation of prospective vendors or service providers. Review of vendor/supplier security should be based on:
- the classification of the data involved (https://policy.umn.edu/it/dataclassification)
- the security level of the service provided (https://policy.umn.edu/it/dataclassification-proc02), rather than the dollar value of the service contract.
4
Instructions1. Download a current version of this questionnaire.
2. Select either Tab 2 (Screening Questions) or Tab 3 (Finalist Questions) as required.
3. Complete the contact information and description fields (in italics) at the top of the tab to identify the contract/context of the vendor responses.
4. Forward the questionnaire to the vendors to complete column C and return their responses with any supporting documentation by a reasonable due date. Only indicate that a question is not applicable to the service or product if you are certain. Note: vendors may request a confidential method of reply (Box Secure Storage is available for secure transfer of data - https://it.umn.edu/technology/box-secure-storage).
5. Contact appropriate subject matter experts (identified in the Required Review by Subject Matter Experts appendix to the UMN Entering into Contracts policy) to review the responses received (see the Required Review by Subject Matter Experts appendix to the UMN Entering into Contracts policy at: https://policy.umn.edu/operations/contracts-appb)
6. Document any followups with vendor(s) and retain the documentation for contract review or audit purposes.
5
Additional guidancehttps://it.umn.edu/vendor-supplier-management
6
ContactUniversity Information Security is available to advise on these questions or vendor responses. Contact security@umn.edu
7
rev. 8/31/2020
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100