SEC-S004 Third-Party Information Technology Vendor Management Standard

1.0    OBJECTIVE:  
The use of third-party information technology vendors provides the university economies of scale, as well as enhanced quality, security and compliance.  The outsourcing of information technology  services also creates risk to the university if the use of the technology as well as the information security posture of the service and vendor are not carefully evaluated.   The comprehensive evaluation of suppliers of third-party Information technology services, software, and systems reduces risk and provides for the confidentiality,integrity, and availability of university data assets.  This document establishes the mandatory security requirements for procuring, managing and monitoring third-party information technology vendors in use by the university.

2.0    RESPONSIBILITY:  
2.1    Director, Information Technology Security

3.0    APPROVAL AUTHORITY:
3.1    Associate Vice President and Chief Information Officer for Information Technology

4.0    SCOPE:
4.1    This document applies to all Austin Peay State University faculty and staff, contractors, vendors, and other agents operating on behalf of the university and who are involved in the procurement and use of information technology services, software, and systems.  All outsourced information technology services that are used to store, process, or transmit university data will be subject to review regardless of cost.

4.2    This document specifically addresses the responsibilities and requirements of Information Technology Security in assessing, approving, and monitoring third-party information technology services, software, and systems to ensure appropriate security controls are in place concerning the sharing, transmission, and storage of university data with these vendors.  

5.0    DEFINITIONS:
5.1    Compensating Controls – Measures taken to address any weakness of existing controls or to compensate for the inability to meet specific security requirements due to various different constraints.

5.2    Family Educational Rights and Privacy Act (FERPA) – A federal law that affords parents the right to have access to their children’s education records, the right to see/to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records.  When a student turns 18 years old, or enters a postsecondary institution at any age, the rights transfer to the student.

5.3    Gramm-Leach-Bliley Act (GLBA) – A federal law that requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data.

5.4    Health Insurance Portability and Accountability Act (HIPAA) – A federal law that protects sensitive patient health information from being disclosed without the patient’s consent or knowledge.

5.5    Personally Identifiable Information (PII)  - Information that, when used alone or with other relevant data, can identify an individual.  Examples include an individual’s Social Security Number (SSN), driver’s license information, financial information, education records, and medical records.

6.0    REQUIREMENTS:
6.1    General

University approved technology solutions are vetted by established procurement processes including Information Technology (IT) compliance and legal reviews.   University units, departments, and personnel should use available university approved technology unless a third-party vendor agreement is necessary to address circumstances where requirements cannot be met with reasonable efforts or would significantly impair the educational, research, business, or service missions of the university.

6.2    Third-Party IT Vendor Review Process Requirements for Purchasing

a.    Data security is regulated by federal, state, and local laws and regulations, as well as university policies, standards, and procedures.  A review of the service and vendor will occur by Information Technology Security (ITSec) prior to the acquisition and implementation of a solution, and periodically upon renewal, to ensure that the university is able to fulfill its responsibility for the protection of university data assets.

b.    ITSec will assess the security posture of desired third-party information technology vendors to confirm the appropriate security controls are in place where university data is to be accessed by, collected by, transmitted to, or shared with the desired services, software, and systems.

c.    ITSec is part of the Govs e-shop approval chain for all information technology services, software, and systems purchase requisitions.   ITSec is responsible for assessing and approving these requisitions before they can be purchased.

d.    ITSec maintains appropriate documentation of all information security services, software, and systems that has been assessed and approved.  This documentation is available to OIT staff involved in the installation and maintenance of university computer assets and software.

e.    For services, software, or systems that are determined to be sharing, transmitting, or storing university PII data, ITSec will request and confirm the addition of Procurement’s Data Addendum document to the contract required of the vendor to accept and sign. Key aspects of the Data Addendum include: 1) the vendor agreeing to FERPA, HIPAA, GLBA, or other federally mandated regulations for data security as applicable, 2) agreeing to quickly notify the ITSec director in the event of a data breach or compromise, 3) agreeing to provide audit reports such as SOC 2 or HECVAT if requested by the ITSec director, and 4) maintaining

6.3 Third-Party IT Vendor Monitoring

a.    ITSec will maintain applications and/or tools to facilitate monitoring of the security posture as well as identifiable vulnerabilities and exposures for contracted third-party services, software, and systems that share, collect, and/or transmit university PII data.  

b.    ITSec will request, as deemed necessary, periodic SOC 2 or HECVAT reports from high risk third-part vendors that are sharing, collecting, and/or transmitting university PII data.

c.    If the ITSec director determines that the risk becomes unacceptable of an existing third-party vendor’s service, application, or system, the ITSec director will advise the IT Chief Information Office, Procurement, and the university’s senior leadership.  In such case, the ITSec director will request a determination from the CIO and senior leadership to 1) accept the risk; 2) determine compensating controls to remediate the risk; or 3) discontinue the use of the high risk service, application, or system.

 

7.0    ASSOCIATED DOCUMENTS:
7.1    4:042 Information Security and Data Classification Policy

7.2    4:029: Acceptable Use of Information Technology Resources

7.3    Austin Peay State University Information Security Program

7.4    Third-Party Information Technology Vendor management  Standard Operating Procedure
 

8.0    RECORD RETENTION TABLE:

Identification Storage Retention Dispostion Protection
OITManagers file share Electronic Perpetual Delete Electronic Back-up


9.0    REVISION HISTORY:
Date:    Rev.    Description of Revision:
02/02/2024
    1.0
    Initial Release

        
        

***End of Standard***