IT Professionals,
In support of IU’s compliance with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, we are updating Software and Service Selection Process (SSSP) guidance regarding contract renewals.
As a reminder, purchases that have previously been approved and do not have a use case change no longer require an SSSP form; however, clarifying guidance is that renewals may still require third-party assessment (3PA) review by the Data Stewards.
If the existing information technology software product or IT service contract involves any of the following, Data Steward review is required at every renewal, and you must submit a Third Party Assessment (3PA) form:
- Collection of customer financial information
- Collection of revenue (PCI)
- HIPAA-regulated protected health information (PHI).
This guidance also applies to items on the Conditional Allow List.
To aid in determining when a SSSP form or other action is required for contract renewals, we have:
- Updated the SSSP Contract Renewal form to clarify the information collected and to include language about which items require 3PA review.
- Updated the existing KB document About the Software and Services Selection Process (SSSP).
- Added a new KB document, Software and Services Selection Process (SSSP) contract renewals.
If there are questions regarding the 3PA or GLBA, please contact iudata@iu.edu.
Please feel free to reach out to our team at ssspserv@iu.edu.
–IT Community Partnerships