Information Services > Security > Services & Resources > Security Review for Hosted Systems

Information Security Review for Hosted Systems

For all DePaul covered data (as defined by the Information Security Policy), to be hosted as a service by an external vendor, whether the data is furnished by DePaul or collected on the vendor site or through entry by DePaul constituents, care must be taken to ensure that the vendor secures this data in an appropriate manner.

Agreements between DePaul and outside services where the service provider hosts or has access to DePaul covered data must have a contract in place, regardless of the dollar amount of the contract.  The Director of Information Security must be notified to review the anticipated use and handling of DePaul data and to review the Application Security Intake Form submitted by the requester.

Service providers should be asked for an independent opinion on the security and controls environment.   The SSAE18 (Statement on Standards for Attestation Engagements No. 18) is an attestation standard geared toward an independent auditor providing a statement on the control environment of a service provider.  The most significant report within the SSAE18 is the SOC 2 Type 2 which audits the company's security, availability, integrity, confidentiality and privacy controls during a set period of time. It is becoming an industry standard for service providers to provide this to their clients.


If the service provider does not have an SSAE18, the following questions should be raised with them:

  • Will there be an SSAE18 available in the near future?
  • Have you had any contracted for any other type of independent audit opinion that you can provide to us?

The following elements (if applicable) should be specified contractually between DePaul and the service provider:

  • Responsibility of vendor to secure data.
  • Prohibition of usage of data by vendor (unless use is specifically outlined)
  • Ownership of data should generally be DePaul University
  • Termination of services clause should be in the contract and include delivery of data to DePaul (if necessary) and deletion of all DePaul data in vendor’s custody
  • FERPA, HIPAA and PCI-DSS compliance by provider (as well as other regulations which may apply), if applicable
    • If the service that will be provided involves the user of credit cards, determine if the provider is Payment Card Industry Data Security (PCI-DSS) certified.​
  • Provider agreement to notify DePaul in the event of a security breach affecting DePaul data and to cooperate with DePaul on any public notifications this event may require