Transcription
Contracts, ISO, and F&A 2020Presented By:UCF Office of the General CounselUCF Security Information OfficeUCF Finance and Accounting
Many types of documents can constitute acontract!Examples: Invoices, memoranda, letters – the title of thedocument is not important, the content matters!Issue: Vendors often state “subject to Vendor’s terms andconditions” – terms and conditions are not alwaysattached/sometimes found on Vendor’s websiteProblem: UCF employees agree to a Vendor’s terms andconditions without realizing itState Law: Restrictions on UCF as a state entity regardingcontractual provisions
Contract Review ProcessALL contracts – except for previously approved standardcontract templates or those click throughs and otherpurchases that DO NOT require GC Review (please seefollowing slides for more info) must be sent to the UCFGeneral Counsel’s Office via Cobblestone for legal reviewPRIOR to signature by an authorized UCF signatory
Click-Through Contracts andOther PurchasesUCF Departments are no longer required to send every click-throughcontract to the GC’s Office for review. Only those click-throughcontracts identified in the next slides as requiring General Counselreview should be sent to the Office of the General Counsel.However, UCF Departments are required to complete the UCFInformation Security Office (ISO) “ISO Data Checklist” for any clickthrough contract or other purchase involving Restricted or HighlyRestricted Data the Department wishes to enter into.The checklist can be found in the FAQ section of the UCF ISO VendorRisk Management website: https://infosec.ucf.edu/vrm. The checklisthelps determine the applicability of the Vendor Risk Management (VRM)process and shows what steps the UCF department should takedepending on the data involved.
Click-Through Contracts andOther PurchasesGC Review Required:1.) Click-through contracts requiring “formal” signatures by both parties viasignature blocks as opposed to just clicking a buttonPotential GC Review:2.) Click-through contracts and other purchases involving Restricted orHighly Restricted Data. The UCF department must follow the ISO Data Checklist todetermine the data involved and if the Vendor Risk Management(VRM) process is applicable. As part of the VRM process, UCF ISOwill advise the UCF Department on contractual and reviewrequirements and whether the Department needs to forward the clickthrough or other purchase document to the Office of the GeneralCounsel.
Click-Through Contracts andOther Purchases This applies to any purchases that involveRestricted or Highly Restricted Data regardless ofwhat type of purchase mechanism is used (e.g. PCard, Purchase Order, ROTT ReimbursementOther Than Travel, etc.)
Click-Through Contracts andOther PurchasesDo Not Require GC Review:1) P-Card purchases Except if the vendor requires formal signatures byboth parties Except for P-Card purchases that involveRestricted or Highly Restricted Data as describedabove2) Any other click-through contract or purchase thatdoesn’t involve Restricted or Highly Restricted Data asdescribed above
Additional:Standard contract templates that have been preapproved by the UCF GC’s Office do not have to besent to the GC’s Office prior to signature; however, if anychange is made to these templates, even if minor,this will require submission to the UCF GC’s Office forlegal review.A fully executed copy needs to be returned to the UCFGC’s Office.
Contract or Quote?Answer: Contract
Contract or a Quote?Answer: Quote
Common Problem Clauses in Contracts IndemnificationInsuranceChoice of LawLiability LimitationsCaps on DamagesInfringement DisclaimersSecurity InterestLetters of CreditAssurances of PerformancePublic Records/RecordsRetention Requirements Prevailing Party’s Attorney’sFees
Finance and Accounting
What is an ROTT? Reimbursement Other Than Travel Used for small dollar, out of pocketpurchases Only when university’s preferred methodscan’t be utilized PCard Petty Cash Purchase order University is required to pay sales tax itwould otherwise be exempt from
When to Use an ROTT Emergency purchases Unavoidable circumstances Small dollar amounts (less than 250)
When Not to Use and ROTT Purchases of services Purchases from foreign vendors Repeated purchases of goods from the samevendor Repeated purchases of the same good fromdifferent vendors Purchases of hazardous materials per EHS Purchases of tagable items Amazon Purchases Purchases of cloud computing and datastorage services Purchases that involve entering a contract
Information Security Office:Vendor Risk Management
VRM Program: What and Why? What is it? UCF’s information security vendor review program Vendor Risk Management VRM Why do we do it? To minimize the risk to university data To ensure compliance to data security standards(FERPA, HIPAA PCI, etc) To carry out UCF Policy 4-014:Procurement andUse of Cloud Computing and Data Storage Services
VRM Program: When does the VRM program apply? When does it apply? Whenever a university entity is considering a thirdparty service provider for the purposes of storing,transmitting, processing, or collecting universitydata on our behalf Must be submitted for VRM Review if proposalinvolves:Highly Restricted DataorRestricted Data
Data ClassificationFrom UCF Policy 4-008 policies.ucf.eduHighly Restricted Dataany data that is strictly controlled, restricted, and/or protected by laws,regulations, contracts, or policies.Breach will require notification to affected (costs )Breach will have significant legal consequences:and criminal penalties, loss of funding, inability to continue current research, andinability to obtain future funding or partnerships.e.g. Social Security Number, HIPAA electronic Personal HealthInformation, Financial Account Numbers Federal Controlled Unclassified Information (CUI)
Data ClassificationFrom UCF Policy 4-008 policies.ucf.eduRestricted Datadata the unauthorized access, modification, or loss ofwhich could: adversely affect the university (e.g., cause financial loss or loss ofconfidence or public standing in the community), adversely affect a partner (e.g., a business or agency working withthe university), or adversely affect the public.e.g. business sensitive data ,FERPA Education records/PII,proprietary intellectual property data, general, non-federal research data that bound byconfidentiality agreements with subjects
VRM Program: How? What does the review consist of? ISO will work with you to coordinate a review of Data involved (this drives the depth of review) Vendor’s security policies / procedures Solution’s implementation and capabilities Contracts, agreements Generally, a click-through agreementalone is not sufficient for Restricted orHighly Restricted Data ISO can advise on this as part of the VRMprocess – see also FAQs on VRM website:
WebsiteWhere do I start?All informationcovered today (andmore!) can be foundon:infosec.ucf.edu/vrm
The UCF department must follow the ISO Data Checklist to determine the data involved and if the Vendor Risk Management (VRM) process is applicable. As part of the VRM process, UCF ISO will advise the UCF Department on contractual and review requirements and whether the Department needs to forward the click-
