You can help us promote good information security on campus by asking the following question of your customers.
Does the solution you are purchasing process, store, reproduce, or transmit personally identifiable information, including any one of the following:
- Social security number
- Drivers license number
- California identification number
- Financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- Medical information
- Health insurance information
If so, please be aware that the solution must comply with the Minimum Security Standards for Electronic Information. For more information see Before Sourcing Technology or contact IT Policy at email@example.com.
Cloud computing, hosted solutions, etc.
Buyers, please inform your customers of the following when purchasing applications and services hosted outside of UC Berkeley:
In most cases, the vendor has access to your data, communications, account information, etc. Don’t expect that the vendor’s privacy, security, or business continuity protections will meet UC standards. Some ground rules and important pointers:
- Don’t use external information systems or services for anything that you’re not prepared to disclose or lose. It is best to assume that whatever information goes to or through the service may become public. This includes records of activities of those using the service, such as who used the service, what they used it for and when, etc.
- Don’t use external information systems or services to collect personal information without ensuring that all appropriate campus policies are met. Please contact IT Policy at firstname.lastname@example.org for more information.
- Don’t expect to get your information back if the company has a disruption in service, is acquired, or goes out of business. Keep local copies/backups of any critical data or records just to be safe.
- Don’t expect to be informed if law enforcement or the government requests or subpoenas information from the vendor or service provider. This is true even if a UC-approved agreement is in place. While some organizations will try to direct the requester to you/the University first, there is no guarantee that this will happen, and the vendor may even be forbidden from disclosing the request. This means that your privacy and the privacy of everyone using the product or service is dependent on the outside organization.