Compliance Requirements for Outsourced Services

All third-party vendors dealing with Cal Poly Level 1, Level 2, or Level 3 data must submit the following documentation for the level of data handled by the vendor:

Required documentation for L1 or L2 data

  1. Attestation of Compliance (AOC) – (e.g. cert from Cloud Security Alliance)
  2. Report on Compliance (ROC) – (SOC3, SSAE16)
  3. Contract (confidentiality agreement)
  4. Dataflow
  5. Third-Party Vendor Security Questionnaire (PDF)
    (CSA
    V3 questionnaire for Level 1 data; ​Third-Party Vendor Security Questionnaire (PDF) for level 2 data
  6. Incident Response (this should be included in the contract)  
  7. Security exception (if needed)
  8. Application data request (if needed)
    Please note- this form should be submitted after a vendor has been vetted
  9. Authentication request (if needed)
    Please note- this request should be submitted
    after a vendor has been vetted

Required documentation for L3 data

  1. Contract 
  2. Third-Party Vendor Security Questionnaire (PDF)
  3. Security exception (if needed)
  4. Application data request (if needed)
  5. Authentication request (if needed)

Flowchart

(click image for larger version)

Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000

Contacts

Did you know?

Stay Safe Online Tips