Third-party vendor management standard
Purpose
The use of a third-party vendor enables the university to take advantage of economies of scale, greater efficiency, greater quality, greater security and greater compliance. The outsourcing of Information Technology ("IT") services also creates risks for the university if the use of the technology, and the information security posture of the service and vendor is not carefully evaluated. Such an evaluation reduces risk and provides for the confidentiality, integrity, availability and privacy of all members and associates of the university community as well as Information Technology Systems (鈥淥HIO Systems鈥). This standard establishes fundamental security guidelines, requirements and procedures that support the mandatory protection of information assets for business, contractual, regulatory and legal reasons.
Scope
This standard will apply to all OHIO Systems and assets, employees, vendors and agents operating on behalf of the university using OHIO Systems. Outsourced IT services that are used to store, process, or transmit university data shall be subject to review regardless of cost.
Individual areas may choose to have additional security and controls that are greater than those outlined in this standard.
Standard
Data security is regulated by Federal, State, and Local laws and regulations, as well as university policies, procedures, and standards. A review of the service and vendor will occur prior to the acquisition and implementation of a solution, and periodically upon renewal, to ensure that the university is able to fulfill its responsibility for the protection of data.
In all situations where university data or OHIO Systems are to be accessed by, or shared with a third party vendor, university units and all individual faculty, staff, and associates sponsoring the solution must ensure that an assessment of the vendor鈥檚 security posture is achieved through the following requirements.
Review process requirements:
- If the vendor or service will access university data, and can be classified as IT expertise or labor, hardware/infrastructure, storage, operating environment, application environment, other cloud-based service, or subscription, the acquisition process will be on hold until the Vendor Technology Workbook ("Vendor Workbook") is completed by the vendor. To expedite the process, it is recommended that the unit sponsor request the vendor complete the vendor workbook as soon as they decide to engage the vendor for the solution.
- If applicable, the Request for Proposal ("RFP") process should include a request to the vendor finalists to complete the vendor workbook. The results of the information contained within the vendor workbook should be taken into consideration when choosing a vendor using the RFP process.
- Completed vendor workbooks will be reviewed by the Vendor Security Workgroup on a bi-weekly basis. The Vendor Security Workgroup consists of representatives from different service areas within the Office of Information Technology ("OIT"). If additional questions arise as the result of the completed workbook, Information Security Office ("ISO") staff will reach out to the unit sponsor or vendor contact depending upon the nature of such questions. Technology solutions that access sensitive or restricted data may take longer to obtain approval than solutions that do not access sensitive or restricted data.
- Upon approval of a vendor/solution the unit sponsor will be notified via email or an approval message through the university procurement system.
- The unit sponsor(s) should be aware that certain types of data require the university to comply with external mandates for protected information compliance. Such mandates include, but are not limited to:
- Student Records -Federal Educational Rights and Privacy Act ("FERPA") 鈥揷ontracts involving the handling of FERPA data must include additional FERPA contract language.
- Health Insurance Portability and Accountability Act ("HIPAA") 鈥揷ontracts involving the third-party handling of protected health information ("PHI") require a Business Associate Agreement with the third party.
- Payment Card Industry Data Security Standards ("PCI-DSS") 鈥揷ontracts involving the processing of credit card payments and related services within the scope of PCI-DSS must include PCI compliance contract language.
- Reviews for IT security will only cover a single use case and are required upon new solution acquisition; changes in scope or use cases for current solutions; changes in system design or controls; business transfer, merger, or acquisition; and upon the renewal of current solutions.
- Periodic review of a vendor鈥檚 security posture and continued compliance will be conducted as needed, based upon changes in system use, design or controls, contract renewal or business transfer, merger, or acquisition.
Vendors will be evaluated by the Vendor Security Workgroup based on their internal controls; policies and practices as it relates to the areas of compliance with the law; ownership of data; non-disclosure/confidentiality of data; basic security provisions; breach notification processes and associated liability; access and return of data upon contract termination; response to legal requests for data; the geographic location of data; and the use of subcontractors. Additionally, data with a sensitivity rating of high as outlined in the university policy Data Classification(93.001) will consider in the review, the vendor鈥檚 audit of the security of the service (SSAE16, SOC 2 or similar report) and the vendor鈥檚 compliance with performing periodic risk assessments.
Definitions
Confidentiality: The requirement and need for preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Integrity: The necessity of guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
Availability: The requirement to ensure timely and reliable access to and use of information.
References
- Policy 91.006 Information Security Risk Management
- Policy 91.005 Information Security
- Policy 93.001 Data Classification NIST
- 800 Series Publications
- Vendor Technology Workbook
Exceptions
All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.
Request an exception:
Complete: Exception request form.
Governance
This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.
Reviewers
The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:
- Information Technology: Ed Carter (Chair)
- Human Resources: Michael Courtney
- Faculty: Hans Kruse
- Faculty: Brian McCarthy
- Finance and Administration: Julie Allison
- Associate Dean: Shawn Ostermann
- Regional Higher Education: Larry Tumblin
- Research and Sponsored Programs: Maureen Valentine
- Enterprise Risk Management and Insurance: Larry Wines
History
Draft versions of this policy were circulated for review and approved on 02/03/2022.