Frequently asked questions SURF Vendor Compliance.
On this page you will find the most frequently asked questions about SURF Vendor Compliance. Both general questions and questions about services.
No, we perform trajectories on vendors/applications where there is a need within the industry
need for conversations about privacy and/or security. These do not have to be parties we already have an agreement with. We negotiate as many
modifications/contract agreements that benefit the entire education and research sector. This applies even if contracts are negotiated directly between the institution and the vendor. An additional advantage is that these processes can lead to an agreement through SURF, for example Zoom.
Twice a year inventory needs with: Procurement Network, CSC/security incoop linkin pins, Cisos, POs, FGs (SCIPR), Cybersecurity Regiegroep, Taskforce beyond privacy shield & MBODigitaal.
We aggregate needs based on criteria such as possible national collaborations, use and urgency within sectors, identified issues such as with data oplsag, incidents, possible conflicts with procurement processes SURF, weight (small, medium, large). The information is translated into a proposal for the calendar (when will which trajectories be implemented? The calendar is submitted to the Cybersecurity Steering Committee. They coordinate this with the constituency and come up with a supported advice on the calendar.
Advice goes to the CSC chairs. They advise the Executive Board of SURF. The results of the advice are submitted to SURF's Executive Board for adoption/approval. WE inform aforementioned stakeholders and deliver the service. WE will report to the Cybersecurity Steering Committee in accordance with the existing frequency and annual cycle within SURF. If the evaluation shows that substantial changes are desired, these will be submitted to the SPA.
We have been asked by members if, on behalf of the industry, we would like to conduct DPIAs, DTIAs and
security checks on vendors/applications relevant to the
majority of members. SURF negotiates on behalf of the entire sector, making us many times stronger with vendors than individual institutions.
Once we have performed a risk analysis on a supplier/application, we enter into discussions with the supplier about measures to resolve any risks found as far as possible. Many of these agreements are laid down in, for example, a standard processing agreement. Instructions are also made which state how institutions can use the application in the most privacy and security friendly way possible. These instructions are shared publicly as much as possible. Whether your institution actually uses the application is up to the institution itself. The institution has the responsibility to assess whether the application/supplier can be used within its own processes. We do a lot of preliminary work, but the institution itself must make it applicable within its own organization. You can benefit from the technical, organizational and legal agreements that we have arranged for you.
Black/closed box approach: external perspective, no access to internal systems.
Pros: Mirrors customer view, less intrusive for vendors.
Cons: Limited visibility into internal processes, may identify more high risks.
White/open box approach: full access to internal systems and source code.
Pros: thorough analysis of data processing and security controls.
Cons: time-intensive, requires vendor cooperation.
Grey/semi open box approach: combination of black and white box testing, with selective internal access.
Pros: balanced insight, efficient use of resources, reduced reduced vendor input.
Cons: may lead to inconsistent depth of analysis, relies on vendor accuracy.
The cost of implementing compliance pathways is funded from the
Basic Fee Purchasing and Digital Platforms (BIDP). The members have given approval
given to include SURF Vendor Compliance services in this. Almost all members pay this basic fee, including for the SURF Vendor Compliance
services. Thus, contributions are made to the service at the central level.
We pick up an average of eight trajectories per year. To collect the need for the agenda, twice a year we send out a survey to the following people: CISOs, security officers, privacy officers and FGs through the SCIPR network, software contact persons, CSCs, the Cybersecurity Direction Group, the Beyond Privacy Shield Taskforce and MBO Digital (through the IBP network).
If you have any wishes in the meantime, please pass them on via the
inventory form. The wishes we receive in the interim will be included in the next update of the calendar.
If there are different needs within the institution, for example from people in different departments, all these people can provide input. If a vendor/application is mentioned several times, we count it once. In fact, all vendors/applications supplied per institution count once.
Example:
- 5 people from institution X each supply 3 different applications: a total of 15 applications are supplied from institution X.
- 5 people at institution X each supply 3 of the same applications: a total of 3 applications have been supplied from institution X.
In this way we guarantee that each discipline/role is represented in the delivery of the desired applications/vendors.
If you want to submit requirements jointly, there are two ways:
- Each institution separately completes the jointly agreed list.
- The list is submitted by one institution, but it is clearly stated on behalf of which institutions the wishes are submitted. This is because we count how many institutions express a wish for a compliance track on a particular vendor/application.
Previously supplied requirements for compliance processes remain valid. We add new input. We shortlist the vendors/applications that are often mentioned. Twice a year, we ask institutions to provide feedback on all shortlisted vendors/applications. This way, it is clear to us which applications deserve urgency and we can adjust our calendar accordingly. Input and requests for compliance assessments can be submitted continuously via this form.
Institutions widely use different vendors. In many
cases, suppliers process personal data of SURF members and their
users. Institutions are obliged under the AVG to check their suppliers on how they deal with privacy and security. SURF undertakes such compliance processes at the request of institutions. We discuss privacy and/or security with suppliers on behalf of institutions and ensure that suppliers take measures to resolve identified risks. It pays to do this collectively on behalf of all the institutions; by combining knowledge and expertise, we achieve cost savings, share knowledge, and have a stronger negotiating position towards suppliers.
towards suppliers.
A DPIA, Data Protection Impact Assessment (DPIA), also known as a
data protection impact assessment, is a tool to identify privacy risks to data subjects (e.g., users). From the General Data Protection Regulation (AVG), a DPIA is necessary if there is large-scale processing of personal data or sensitive personal data.
Through SURF, the members make joint agreements with ict and content suppliers regarding the supply and purchase of products and services. In this way, the members jointly ensure scale and an efficient point of contact for suppliers. Performing risk analyses such as DPIAs are part of this. In many cases
suppliers process personal data of (employees and students of) SURF members. It is therefore important that suppliers comply with legislation and regulations. SURF collaborates in this as much as possible with collaboration partners such as SIVON and the government. Together, several DPIAs have already been carried out.
Yes, there is close cooperation between SIVON and SURF. As well as MBO Digitaal and SURF (and other collaboration partners such as the State). If at all possible, we collaborate on the various DPIAs or exchange information on ongoing processes.
Each institution must decide for itself to what extent the results are applicable to its own organization. The DPIAs produced can therefore be used by anyone, including organizations outside education and research, but must always be interpreted to their own situation, processes and environment.
In most cases, we work with collaborative partners such as the Government, SIVON and have studies conducted by external parties,such as Privacy Company.
The risk analyses are in English because the language of communication with international suppliers is
English is. The results must also be clear 4/4 to employees of these organizations and not misinterpreted or translated. In addition, they are then readable by a wide audience.