Skip Navigation
Skip to Menu Toggle Button
UMGC Policy X-1.27

Third Party Vendor Management

Policy Category Policy No. & Title Policy Owner/Administrator Effective Date Revision Number Revision Eff. Date Review Cycle
X
Information Governance, Security & Technology
X-1.27
Third Party Vendor Management
VP of Information Security July 15, 2021 N/A N/A Every 2 years
  1. Purpose

    The Third-Party Vendor Security Management program, governed by the Information Security Team is an initiative to reduce the risk to University Data and computing resources from Third-Party Providers. Information Security collaborates with the Office of Legal Affairs, the Office of Procurement & Business Affairs, the University Data Protection Officer (DPO), and University Departments to protect Information Technology Resources and digital intellectual property at the University.

    The purpose of this policy is to ensure that all vendors have appropriate controls to minimize risks that could adversely impact Confidentiality, Availability, and/or Integrity of the service or product.

  2. Scope and Applicability

    1. This Policy applies to all University operations involving University Information or its Information Technology Resources.

    2. This Policy applies to all University Employees as well as adjunct faculty, Third-Party Providers to include contractors, consultants, temporary employees, and other third parties performing duties on behalf of the University.

  3. Definitions

    Capitalized terms shall have the meaning ascribed to them herein, and shall have the same meaning when used in the singular or plural form or any appropriate tense.

    Availability: The principle of ensuring timely and reliable access to and use of Information based upon the concept of Least Privilege.

    Confidentiality: The principle of preserving authorized restrictions on Information access and disclosure, including means for protecting personal privacy and proprietary information.

    Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.

    Data: Data is element(s) of information in the form of facts, such as numbers, words, names, or descriptions of things from which "understandable information" can be derived.

    Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.

    Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.

    Information Technology Resource(s): Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.

    Information System: Inter-related components of Information Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

    Integrity: Ensuring records and the Information contained therein are accurate and Authentic by guarding against improper modification or destruction.

    Third-Party Provider: Third party as an external entity, including, but not limited to, service providers, vendors, supply-side partners, demand-side partners, alliances, consortiums and investors, with or without a contractual relationship to University.

  4. Third-Party Management

    1. Initial Screening

      1. All University departments engaging third-party IT products or services are required to undergo a security risk review of the requested product or service.

      2. Based on the security review performed, the UMGC Information Security Team will determine if a comprehensive security assessment will be required prior to entering into any agreement with the vendor.

    2. Comprehensive Security Assessment

      1. The Third-Party Provider must complete a security questionnaire, known as the Higher Education Community Vendor Assessment Toolkit (HECVAT) and/or provide a copy of their most recent independent security audit or certification reports (i.e., SOC 2, ISO 2700x certification).

      2. The Information Security Team will review the security assessment and determine whether the Third-Party Provider complies with the University security requirements. If the Third-Party Provider is non-compliant, compensating controls will need to be implemented and reassessed.

    3. Contracting Agreements

      1. Third-Party Providers that will store, process or transmit Data must:

        1. Sign a Data Processing Agreement (DPA) if applicable.

        2. Permit inclusion of UMGC standard security clauses and language in all relevant contracts, which addresses compliance with UMGC security policies, right to audit, right to access, right to monitor and compliance with applicable regulations where feasible.

    4. Subsequent Reviews

      1. Security reviews for third-party providers will cover a single use case and are required upon a new solution acquisition, changes in scope or use cases for current solutions, changes in system design or controls, business transfer, merger, or acquisition, and upon the renewal of current solutions.

      2. Periodic review of a Third-Party Provider security posture and continued compliance will be conducted as needed, based upon changes in system use, design or controls, contract renewal or business transfer, merger, or acquisition.

  5. Exceptions

    Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

  6. Enforcement

    1. Any Employee, Contractor, or Third-Party Provider performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the VP of Information Security as soon as practicable.

    2. Any Employee, Contractor, or other Third-Party Provider performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

  7. Related Policies

    UMGC X-1.02 Data Classification
    UMGC X-1.04 Information Security
    UMGC X-1.18 Information Security Risk Management
    UMGC 366.10 Contract Review and Maintenance Procedures
    UMGC 370.10 Procurement Policies and Procedures

  8. Effective Date

    This policy is effective as of the date set forth above.