IT Security Vendor Management

1.0 VENDOR MANAGEMENT RECOMMENDATIONS & GUIDELINES –DATA SECURITY

1.1 PURPOSE

The purpose of this document is to describe the information security requirements to be followed in the selection and ongoing risk management of third party service providers for Bryant University and the privacy of confidential information of students/employees/alumni.  This document also defines the information security requirements for contracts with third parties that have access to confidential information about students/employees/alumni.

1.2 SCOPE

All engagements with service providers, having to do with security of financial data and University data systems, shall be in accordance with this document.  Arrangements involving third party access to university information, processing facilities or assets shall be based on a formal contract.  The contract will contain, or reference, all security requirements and assigned responsibilities to ensure that there is no misunderstanding between the university and the third party.  This document covers the following requirements for vendor management:

  • Vendor Management Recommendations & Guidelines
  • Outsourcing
  • Risk Management Process

1.3 RECOMMENDATIONS & GUIDELINES

Sponsors and owners of the business function to be outsourced shall exercise appropriate due diligence in the selection of the service provider, including the following consideration:

  • Service provider references and experience
  • Security expertise of service provider personnel
  • Background checks on service provider personnel

The university shall require by contract that the service provider implements appropriate security controls in accordance with university guidelines.  Services provided by the service provider shall be monitored (through the completion of annual self-assessment questionnaires/reviews) to confirm that they are according to these guidelines.

If the service provider provides confidential information, it is the responsibility of the sponsor to ensure that any obligations of confidentiality are satisfied.

The following terms shall be included in all third party contracts:

  • Non-disclosure agreements covering the university’s systems and data
  • That the services provide conforms to all federal and state laws and regulations.
  • The right to audit or review any recent SSAE 16 (formally SAS 70 ll) or equivalent independent audit report
  • Service Level Agreement (SLA) that includes, description of services, availability (including in the event of a disaster), and recourse if service levels are not met
  • Provisions that Service provider use adequate physical and logical controls used to restrict and limit the access to the university’s sensitive information
  • That the service provider has adequate incident response documentation and assurance that the provider shall communicate incidents promptly
  • The general guidelines on information security; i.e. “shall maintain compliance with all applicable federal and state guidelines…” and “ shall maintain security controls to protect the confidential information of the university …”
  • Asset protection, including:
    • Procedures to protect university assets, including information and software
    • Procedures to determine whether there has been any compromise of assets, e.g., whether loss or modification of data, has occurred
    • Controls to ensure the return or destruction of information and assets at the end of, or at an agreed point in time during, the contract
    • Provisions regarding integrity and availability
    • Restrictions on copying and disclosing information
  • A description of each service to be made available
  • The target level of service and unacceptable level of service
  • The respective liabilities of the parties to the Agreement
  • Intellectual Property Rights (IPRs) and copyright assignment and protection of any collaborative work
  • The right to audit contractual responsibilities or to have those audits carried out by a mutually agreed upon third party
  • A statement of outlining the existence and maintenance of third the party’s contingency plans to ensure that services are maintained in the event of a disaster
  • A statement ensuring the existence of logical and physical protection controls and mechanisms to ensure that the controls are followed
  • Any proprietary software and documents be kept in escrow to provide the university access to these resources in the event the third party is no longer a viable entity
  • An acknowledgement that the service provider is responsible for the ongoing security of the university’s confidential information
  • Any contract for these types of services must be reviewed for completeness by the University Data Security Officer and the Purchasing Department, prior to execution by either party.

1.4 Risk Management

Departmental managers will complete an annual contract review to assure that SLA and other deliverables and measurable are being attained and received.

1.5 RESPONSIBILITIES

            Role Responsibility
Departmental Managers Follows this document for contracts with third parties.  Appoints a point of contact for managing the relationship with the third party.  Will complete annual self assessments to ensure third party providers are compliant
IT Staff Assists departmental managers of the business function to be outsourced with the due diligence required as needed
ISPC Ensures the compliance with this document
Purchasing Contact Suppliers on behalf of User-Departments when requested

Obtain quotes or conduct RFP on behalf of user-departments when requested.

Review contract for conformance to Bryant Terms & Conditions prior to execution.