Penn has a questionnaire for vendors as part of our SPIA process. This document is intended to help guide vendor responses about existing or planned security controls protecting hosted data and/or systems. Responses are used to evaluate the vendor's existing security posture and whether it meets Penn’s current recommendations and guidelines.
Whenever possible, vendors or operators of other outside systems which handle sensitive or confidential information should complete this questionnaire; especially, if possible, before any decision is made to contract with the vendor to host university data.
Download the questionnaire from http://www.upenn.edu/computing/security/cloud/spia_for_vendors.pdf