Vendor SecurityTechnology Services
Purpose
This Vendor Security Policy outlines the requirements and expectations for third-party vendors that provide online services or facilitate other processes on behalf of Gustavus Adolphus College. The primary goal of this policy is to ensure the security, confidentiality, and integrity of the college's data and systems while minimizing risks associated with third-party vendor relationships.
Scope
Any system or service provided by an outside party that transmits, manipulates, houses, or accesses College data, as defined in the Data Classification and Handling Policy, for any official or unofficial purpose.
Vendor Selection and Evaluation
Selection
Technology Services must assess the suitability of potential vendors by considering their security practices, compliance with relevant regulations, and their ability to meet data protection standards. Typically, this information is provided by the vendor as a formal security assessment document, such as the Higher Education Community Vendor Assessment Tool (HECVAT). Any contract for a technology vendor/product that falls within the aforementioned scope statement, must receive approval from Technology Services prior to being signed.
Evaluation
Vendors will be evaluated based on their current security posture, data protection practices, and track record in safeguarding sensitive information. Evaluation criteria may also include:
- Security certifications and compliance with industry standards (e.g., ISO 27001).
- Data handling, sharing, and storage practices.
- History of security incidents and their response and resolution.
- Access controls and authorization mechanisms.
- Vulnerability management and patching procedures.
- Physical security measures.
- Anecdotal reports from peers and/or security industry experts.
- Compatibility with existing infrastructure, including other systems and processes.
Status Assignation
Technology Services will review the vendor(s) and product(s) using all relevant criteria and assign one of three statuses:
- Approved (full)
- Approved (probationary)
- Denied
Full approval is usually granted for the term of the contract. The status may come under further review upon contract renewal.
Probationary approval is granted for a shorter period of time, usually no more than one calendar year. Technology Services will expect to see improvements from the vendor during the specified duration, and/or the vendor’s access may be limited to data that has been classified as “public” or “confidential.” A follow up assessment may also be required to verify that significant changes have been made to the vendor’s security practices and posture.
Denied is the status applied to vendors/products that do not provide sufficient security documentation and assurances, and/or show significant deficiencies in security practices that could impact College data.
Management
Technology Services will collect and monitor vendor assessments, updating them as needed. A College point of contact from the sponsoring department/area should be appointed to manage communications between Technology Services and the vendor during the evaluation process, as well as any subsequent audits, reviews, and security or compliance related activities. In most cases, Technology Services will work through this designated point of contact to facilitate the work required as part of this policy. Changes to the vendor relationship (discontinuation or alteration of contracted services) or to the designated point of contact should be referred to Technology Services.
Vendor Contractual Obligations
Data Protection Clause
All vendor contracts must include specific language requiring vendors to protect College data and comply with applicable laws and regulations. Vendors should be held accountable for breaches of data confidentiality and integrity.
Access Control
Vendors should implement strict access controls to ensure that only authorized personnel can access College data. Access rights should be granted on a need-to-know basis.
Data Encryption
Vendors must encrypt data both in transit and at rest using strong encryption methods. Encryption standards should align with industry best practices.
Security Assessments and Audits
Security Audits
Technology Services reserves the right to conduct security audits of vendor systems, processes, and controls on behalf of the College. Vendors are expected to cooperate fully during these audits.
Compliance Reporting
Vendors must provide evidence of compliance with relevant regulations and industry standards upon request.
Incident Response and Notification
Incident Reporting
Vendors are required to promptly report any security incidents, breaches, or suspected breaches to the College's designated point of contact or the information security program coordinator.
Notification
In the event of a security incident, vendors must work with the college to assess the impact and notify affected parties as required by law or contractual obligations.
Subcontractors and Third-Party Relationships
Vendors are responsible for ensuring that their subcontractors and third-party partners adhere to the same security and data protection standards outlined in this policy.
Termination of Vendor Relationships
In the event that a vendor relationship is terminated, vendors must cooperate with the College to facilitate the secure transfer of data and any other assets in their possession.
Compliance and Monitoring
The College will periodically assess vendor compliance with this policy through audits and reviews. Non-compliance may result in the termination of the vendor relationship.
Policy Implementation Assistance
Contact the Chief Technology Officer with questions or comments related to this policy.
Policy Authority
The XLT has responsibility for this policy and will obtain necessary approvals for changes.