CONNECTED CONSULTING
Champion Brief · Confidential
Indiana University × Connected Consulting
THE LIGHT‑PATH
PLAYBOOK
What to hand your internal champion so their talk track to the security office clears the SSSP review fast — by removing the one thing that triggers a deep review.
The work routes through IU's Software & Services Selection Process (SSSP), reviewed jointly by UITS, Procurement, the Information Policy Office, and the Information Security Office (UISO). The deep review fires on a single condition: a service that hosts or accesses critical data. Strip that trigger and the same process runs light. Every fact below is aimed at making security say: "this isn't a data-custodian risk."
What Security Inspects → What Defuses It
They check
A new cloud vendor hosting IU data?
You answer
Build runs inside IU's approved tools — ChatGPT Codex, Claude, and Microsoft Copilot native workflows. No new system to assess.
They check
Does data leave the tenant?
You answer
No export. Data never touches our systems — the single biggest 3PA de-risker.
They check
What access does the firm hold?
You answer
Least-privilege, supervised, time-boxed. Named people, no standing admin, access revoked at pilot end.
They check
What data classification is touched?
You answer
Scoped to University-internal / de-identified data — no FERPA student records, so no auto-trigger of HECVAT + Data Steward review.
They check
Will the vendor retain, own, or share data?
You answer
Pre-written DM-02 terms: no retention, no ownership, no use for training, deletion on termination.
01 / 02
CONNECTED CONSULTING
Champion Brief · Confidential
The Talk Track
CHAMPION SAYS
"This isn't a SaaS purchase that holds our data. It's a build partner working inside the tools we've already approved — ChatGPT Codex, Claude, and Microsoft Copilot native workflows. Our data never leaves the tenant, and the firm has no standing access to it. I'd like to confirm the lightest SSSP path with you up front so we scope it right before anyone starts."
The Approval Path
| The move | Why it speeds approval |
|---|
| 1 | Open with the frame — a services build inside approved infra, not a SaaS purchase. | Kills the "new data custodian" reflex before it starts. |
| 2 | File the SSSP (3SP) request early, naming the approved tools and the data class in scope. | SSSP is required for consulting that builds software; filing early reads as good faith. |
| 3 | Hand over the no-retention / no-ownership / no-training / deletion clauses up front. | These are exactly what the Third-Party Assessment reads. |
| 4 | Name the Data Steward for the data in scope and loop them in early. | Their sign-off sits on the critical path; early contact prevents a late stall. |
| 5 | Ask security to name the path — don't assume it. | Collaboration beats argument. They own the tier call; let them make it. |
The one question to ask security
"Given we're not a data custodian and the pilot only touches University-internal / de-identified data — what's the lightest applicable SSSP path, and do we trigger a UISO security assessment, a Third-Party Assessment, or a HECVAT?"
Further Reading — IU Sources
SSSP & purchasing data toolsdatamanagement.iu.edu/faq/purchase.html
Third-Party Assessment (3PA)datamanagement.iu.edu/faq/3pa.html
Hiring consultants w/ data accessdatamanagement.iu.edu/faq/consultants.html
What needs an SSSP submissionkb.iu.edu/d/aoyl
02 / 02