6.28 VENDOR ACCESS MANAGEMENT
Effective: August 15, 2024
Purpose: There are times where the University contracts with a third party or vendor to provide services to the University. The University’s commitment to the confidentiality, integrity, and accessibility of our information assets must extend to any and all information that a third party or vendor may access or manage.
Therefore, this policy ensures that any University information asset that a third party or vendor may access remains as secure as if the third party or vendor were a University employee.
Scope: This policy applies to all third parties or vendors that require access to University information as part of their agreement with the University.
Responsible Office: Information Technology
Policy Statement: The Information Custodian of the information asset has the ultimate responsibility for the protection of the information. The Information Custodian must be informed of any access to information that is protected by privacy laws or rights. The Information Custodian has the responsibility to carry out requests by the owner including the granting of access to the owner’s information and ensuring that the access meets all University information security policies, standards and guidelines.
The Information Custodian providing access to that university data has the ultimate responsibility for ensuring that third parties have reviewed, agreed, and have signed the Non-Disclosure Agreement and IT Usage Policy.
The Information Security Officer (ISO) is responsible for monitoring and reporting compliance with this policy. The ISO is responsible for reviewing this policy annually. The University legal counsel has the responsibility to review all vendor agreements.
Third parties or vendors with access to any University information not classified as Public must sign a non-disclosure agreement and acknowledge the University’s acceptable use policy.
Vendor agreements that include access to any University information not classified as Public pursuant to the policy on Information Classification must be reviewed annually to ensure they meet all legal, regulatory, and business needs.
Vendors that manage or have access to information that is classified as Sensitive or Confidential as outlined in the policy on Information Classification must provide proof that their handling of that data meets or exceeds the University security practices. This can be accomplished either by a security review by IT staff or by a third-party SAS-70 audit.
The President or designee must approve any exceptions to this policy.
Definitions: All words and phrases shall be interpreted utilizing their plain meanings unless otherwise defined in another University or Board of Regents policy or by statute or regulation.
Procedures: All procedures linked and related to the policies above shall have the full force and effect of policy if said procedures have first been properly approved by the University’s administrator in charge of Information Technology.
[Information Technology procedures - coming soon]
Related Policy Information: [coming soon]