Summary

St. Mary’s University frequently engages with third-party vendors to support various aspects of its operations. While these partnerships are often essential for efficient and effective service delivery, they also introduce potential risks to our information security and data privacy.

The Third-Party Vendor Access Policy is a critical component of St. Mary’s University overall information security framework. It establishes comprehensive guidelines and procedures for managing the risks associated with granting external parties access to our information systems and data.

This policy aims to:

• Protect the University information assets from unauthorized access, modification, or disclosure.
• Ensure compliance with relevant legal and regulatory requirements, including but not limited to FERPA, HIPAA, and PCI DSS.
• Maintain the integrity and availability of St. Mary’s information systems.
• Establish clear expectations and responsibilities for both St. Mary’s and its third-party vendors.
• Provide a structured approach to assessing, monitoring, and managing third-party risks throughout the engagement lifecycle.

The policy covers all aspects of third-party vendor relationships, from initial risk assessment and access provisioning to ongoing monitoring and relationship termination. It applies to all St. Mary’s employees responsible for managing vendor relationships, as well as to the third-party vendors themselves.

By adhering to this policy, St. Mary’s aims to harness the benefits of third-party partnerships while maintaining a robust security posture and protecting the confidentiality, integrity, and availability of its information resources.

All St. Mary’s personnel involved in managing third-party relationships should familiarize themselves with this policy and ensure its consistent application. Regular reviews and updates of this policy will be conducted to address evolving security threats and changing business needs.

Purpose

The purpose of this policy is to establish measures to mitigate information security risks associated with third-party access and responsibilities in protecting St. Mary’s University information. This policy applies to all individuals responsible for installing new information resources and those who grant third-party access for the maintenance, monitoring, and troubleshooting of existing information systems.

Scope

Third-party entities play a crucial role in supporting St. Mary’s University (hereinafter referred to as StMU) hardware and software management and operations. When properly authorized, they can remotely view, copy, and modify data and audit logs; correct software and operating system issues; monitor and optimize system performance; monitor hardware performance and errors; modify environmental systems; and reset alarm thresholds.

Setting limits and controls on what third parties can view, copy, modify, and control is essential to eliminate or reduce the risks of revenue loss, liability, loss of trust, and potential damage to St. Mary’s University assets.

This policy requires third parties and their authorized subcontractors to:

1. Share only the minimum necessary information.
2. Securely return or destroy personal information upon contract expiration.
3. Provide immediate notification to the University in the event of a sensitive data breach.

Policy Statement

Third-party physical access to the data center will be enforced as stated in the Data Center Access policy and require approval and authorization by an IS Director. Third-party access to the data center facilities must sign a Confidential Information Agreement prior to accessing the StMU network. Third party access is temporary.

Third parties must comply with all applicable rules, policies and StMU standards and agreements, including, but not limited to:

• Data Center Access
• Code of Business Conduct
• Acceptable use of Technology
• VPN Access
• Confidential Information Agreement
• Information Security Standards and Guidelines

Guidelines

StMU will provide an IS point of contact (POC) for the third-party vendor. The point of contact will work with the third-party to make certain that they are in compliance with these rules.

1. Access Management:
   • Each third-party user with access to StMU sensitive information must be cleared to handle that information.
   • Access must be provisioned based on the principle of least privilege.
   • Third-party access must be regularly reviewed and promptly revoked when no longer needed.

2. Data Classification: All data accessed by third parties must be classified according to StMU’s Data Classification Policy and handled accordingly. (Under development)
3. Security Controls: Third-party systems that interact with StMU’s network or data must implement security controls that meet or exceed our Information Security Standards:
   • Log control – Change management and access control
   • Use security software to protect data
   • Encrypt sensitive data, at rest and in transit
   • Conduct regular backups of data
   • Update security software regularly, automating those updates if possible
   • Have formal policies for safely disposing of electronic files and old devices

4. Compliance:
   • All third-party personnel with access to any High Security System must adhere to all regulations and governance standards associated with that data (e.g., PCI and security requirements for cardholder data, FERPA requirements and HIPAA privacy rule for student records)
   • Third parties are required to comply with StMU auditing requirements, including annual security audits. (Third-Party Vendor Management Policy – In Development)
5. Incident Response:
   • Third party personnel must report all security incidents directly to their assigned POC within 24 hours of discovery.
   • If a third-party vendor is involved in a StMU security incident, it must be reported and documented in accordance with the Confidential Information Agreement and StMU’s Incident Response Plan.

6. Change Management: Third-party personnel must follow all applicable StMU Change management processes and procedures.
7. Work Parameters:
   • Regular work hours and duties will be defined in the contract (agreement).
   • Work outside of defined parameters must be approved in writing by the corresponding department head.
   • If access to the internal network is required, the user must abide by the VPN Access Policy.
8. Credentials and Documentation:
   • Third-party credentials must be uniquely identifiable, and password management must follow the StMU Password Policy.
   • The third party’s major work activities must be documented. Project milestones, deliverables, and “as built” documents must be submitted during, and upon project completion.

9. Data Handling upon Termination:
   • Upon termination of a contract or at the request of StMU, the third party will return or destroy all StMU information and provide written certification of that return or destruction within 24 hours. Unless something else is specified in the vendor agreement.

10. Subcontractor Management: Third parties must obtain written approval from StMU before engaging any subcontractors. They must ensure that subcontractors adhere to the same security standards and provide StMU with details of subcontractor security measures.
11. Technology Standards: Third parties must adhere to StMU’s specified technology standards and baselines when connecting to or interacting with StMU systems.
12. Ongoing Monitoring: StMU will implement continuous monitoring of third-party compliance and risk levels, with the right to conduct spot checks and audits as deemed necessary.

Enforcement

Violation of this policy may result in disciplinary action, including termination for employees and termination of business relationships for contractors or consultants. Additionally, individuals may lose access privileges to StMU information resources and be subject to civil and criminal prosecution. Third-party vendors will be held accountable for reimbursing damages resulting from disclosure, breach, data loss, or other events that put university data at risk.

Exclusions or Special Circumstances

Exceptions to this Policy shall only be allowed if previously approved by the Information Services Directors and this approval is documented and verified by the Vice President of Information Services

Definitions

Business Continuity – The capability of an organization to continue the delivery of products or services at acceptable predefined levels following a disruptive incident.

Change Management – The process of requesting, analyzing, planning, implementing, and evaluating changes to StMU’s IT systems.

Continuous Monitoring – An ongoing process of proactively identifying and addressing vulnerabilities and compliance issues in information systems and third-party relationships.

Data Classification – The process of categorizing data based on its level of sensitivity and the impact to StMU should that data be disclosed, altered, or destroyed without authorization.

Exit Strategy – A plan for ending a third-party relationship in a controlled and secure manner, ensuring all StMU assets and data are protected.

FERPA – The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g; 34 CFR Part 99) is a Federal Law that protects the privacy of student educational records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

HIPAA – The Health Insurance Portability and Accountability Act governs how school health services may share student health information with other parts of the school community.

Incident Response – The process of responding to and managing the aftermath of a security breach or cyberattack.

PCI DSS – The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

Principle of Least Privilege – A security concept in which a user is given the minimum levels of access – or permissions – needed to perform their job functions.

POC – Point of Contact.

Risk Assessment – The process of identifying, analyzing, and evaluating risks associated with third-party vendors’ access to StMU’s systems or data.

Security Controls – Safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.

StMU – St. Mary’s University.

Subcontractor – A person or company hired by a third-party vendor to perform part of the vendor’s contract with StMU.

Third-Party Vendor – Any external organization or individual that provides services or products to StMU and requires access to StMU’s information systems or data.

VPN – A VPN, or Virtual Private Network, routes all of your internet activity through a secure, encrypted connection, which prevents others from seeing what you’re doing online and from where you’re doing it.