Compliance Requirements for Outsourced Services

All third-party vendors dealing with Cal Poly Level 1, Level 2, or Level 3 data must submit the following documentation for the level of data handled by the vendor:

Required documentation for L1 or L2 data

1. Attestation of Compliance (AOC) – (e.g. cert from Cloud Security Alliance)
2. Report on Compliance (ROC) – (SOC3, SSAE16)
3. Contract (confidentiality agreement)
4. Dataflow
5. Third-Party Vendor Security Questionnaire
   (CSA V3 questionnaire for Level 1 data; ​Third-Party Vendor Security Questionnaire for level 2 data
6. Incident Response (this should be included in the contract)  
7. Security exception (if needed)
8. Application data request (if needed)
   Please note- this form should be submitted after a vendor has been vetted
9. Authentication request (if needed)
   Please note- this request should be submitted
   after a vendor has been vetted

Required documentation for L3 data

1. Contract 
2. Third-Party Vendor Security Questionnaire
3. Security exception (if needed)
4. Application data request (if needed)
5. Authentication request (if needed)

Flowchart

(click image for larger version)