Skip Navigation
University of Maryland Global Campus University of Maryland Global Campus
  • Locations
    • U.S. Locations
    • UMGC Asia
    • UMGC Europe
    • Learn Online
  • Get Help
    • Find Answers
    • Chat Now
    • Email Us
  • 855-655-8682
  • Current Students
Login
Request Info
Apply Now
  • Leadership & Governance
    Leadership & Governance
    • Office of the President
    • Strategic Plan
    • Boards and Committees
    • Executive Committee
    • Maryland Cybersecurity Council
    • Shared Governance
    • Academic Advisory Board
    • Adjunct Faculty Association
    • Student Advisory Council
    Related Links
    • Awards and Recognition
    • Mission and History
    • Regional Accreditation
    • University System of Maryland Membership
  • Arts
    Arts
    • Arts Program
    • Art Exhibitions
    • Art Collections
    • Art Talks
    • Art Galleries and Hours
    • UMGC TV
  • Policies & Reporting
    Policies & Reporting
    • Institutional Data
    • Facts at a Glance
    • Fact Book and Fact Sheet Archive
    • Policies
    • Academic Affairs Policies
    • Administration Policies
    • External Relations Policies
    • Faculty Policies
    • Fiscal and Business Affairs Policies
    • General Policies
    • Human Resources Policies
    • Info Governance, Security & Technology Policies
    • Research Policies
    • Student Affairs Policies
    • Fair Practices
    • Sexual Misconduct (Title IX)
    • Suspected Child Abuse and Neglect
  • Jobs At UMGC
    Jobs At UMGC
    • Apply for a Job
    • Who We Are
    • Culture
    • Faculty Careers
    • Professional Careers
    • Benefits
    • Careers FAQs
    • Community Engagement
    • New Hire Orientation
    • New Hire Onboarding
    • Benefits Enrollment Information
    • Retirement Enrollment Information
  • UMGC Blog
  • UMGC Podcast
    • U.S. Locations
    • UMGC Asia
    • UMGC Europe
    • Learn Online
    • Find Answers
    • Chat Now
    • Email Us
  • 855-655-8682
  • Current Students
Request Info
Apply Now
Skip to Menu Toggle Button

UMGC Policy X-1.27 UMGC Policy on Third Party Vendor Management

  1. University of Maryland Global Campus
  2. Administration
  3. Policies & Reporting
  4. Policies
  5. Info Governance, Security, & Technology Policies
  6. Third Party Vendor Management

EXPLORE MORE OF UMGC

  • Administration
    • Policies & Reporting
      • Policies
        • Info Governance, Security, & Technology Policies
Policy CategoryPolicy OwnerVersion Effective DateReview CycleLast ReviewedPolicy Contact
X. Info. Governance, Security & TechnologySVP, General Counsel, and Chief People OfficerJune 11, 2025Every 2 yearsJune 11, 2025Information Governance
  1. Purpose
    The Third-Party Vendor Security Management program, governed by the Information Governance Team, is an initiative to reduce the risk to University Data and computing resources from Third-Party Providers. Information Security collaborates with the Office of Legal Affairs, the Office of Procurement, the University Data Protection Officer (DPO), the University Records Manager, and other University departments to protect Information Technology Resources and digital intellectual property at the University.

    The purpose of this Policy is to ensure that all vendors have appropriate controls to minimize risks that could adversely impact Confidentiality, Availability, and/or Integrity of the service or product.
  2. Scope and Applicability
    1. This Policy applies to all University operations involving University Information or its Information Technology Resources.
    2. This Policy applies to all University Employees as well as adjunct faculty, Third-Party Providers to include Contractors, consultants, temporary Employees, and other third parties performing duties on behalf of the University.
  3. Definitions
    Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.
  4. Third-Party Management
    1. Initial Screening
      1. All University departments engaging third-party IT products or services are required to undergo a security risk review of the requested product or service.
      2. Based on the security review performed, the UMGC Information Governance Team will determine if a comprehensive security assessment will be required prior to entering into any agreement with the vendor.
    2. Comprehensive Security Assessment
      1. If required, the Third-Party Provider must complete a security questionnaire, known as the Higher Education Community Vendor Assessment Toolkit (HECVAT) and/or provide a copy of their most recent independent security audit or certification reports (i.e., SOC 2, ISO 2700x certification).
      2. The Information Governance Team will review the security assessment and determine whether the Third-Party Provider complies with the University security requirements. If the Third-Party Provider is non-compliant, compensating controls will need to be implemented and reassessed.
    3. Contracting Agreements
      1. Third-Party Providers that will store, process, or transmit Data must permit inclusion of UMGC standard security clauses and language in all relevant contracts, which addresses compliance with UMGC security policies, right to audit, right to access, right to monitor, and compliance with applicable regulations where feasible.
      2. Third-Party Providers that will store, process, or transmit High Risk Data must sign a Data Processing Agreement (DPA).
    4. Subsequent Reviews
      1. Security reviews for third-party providers will cover a single use case and are required upon a new solution acquisition, changes in scope or use cases for current solutions, changes in system design or controls, business transfer, merger, or acquisition, and upon the renewal of current solutions.
      2. Periodic review of a Third-Party Provider security posture and continued compliance will be conducted as needed, based upon changes in system use, design or controls, contract renewal or business transfer, merger, or acquisition.
  5. Exceptions
    Exceptions to this Policy should be submitted to Information Governance for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.
  6. Enforcement
    1. Any Employee, Contractor, or Third-Party Provider performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Governance as soon as practicable.
    2. Any Employee, Contractor, or other Third-Party Provider performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.
  7. Standards Referenced
    1. Most recent versions:
      1. USM IT Security Standards
      2. NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
      3. Cybersecurity Maturity Model Certification (CMMC)
  8. Related Policies
    1. UMGC X-1.02 UMGC Policy on Data Classification
    2. UMGC X-1.04 UMGC Policy on Information Security
    3. UMGC X-1.18 UMGC Policy on Information Security Risk Management
    4. UMGC VIII-3.02 UMGC Policy on Contract Review and Maintenance Procedures
    5. UMGC 370.10 Procurement Policies and Procedures
Request Info
Apply Now
Quick Links
  • Academic Calendar
  • Schedule of Classes
  • Submit Transcripts
  • Request Transcripts
  • Library
  • Events
  • News
  • Administration
  • University Store
  • FERPA
UMGC For
  • Prospective Students
  • Military & Veterans
  • Current Students
  • Partners
  • Alumni
  • Donors
  • Media
  • Job Seekers
Contact Us

855-655-8682
Help Center
More Contact Options
Social Links

Mailing Address
No classes or services at this location
3501 University Blvd. East,
Adelphi, MD 20783

  • Academic Calendar
  • Schedule of Classes
  • Submit Transcripts
  • Request Transcripts
  • Library
  • Events
  • News
  • Administration
  • University Store
  • FERPA
  • Prospective Students
  • Military & Veterans
  • Current Students
  • Partners
  • Alumni
  • Donors
  • Media
  • Job Seekers

855-655-8682
Help Center
More Contact Options
Social Links

Mailing Address
No classes or services at this location
3501 University Blvd. East,
Adelphi, MD 20783

University of Maryland Global Campus
UMGC is a proud member of the University System of Maryland.
Accessibility Terms & Conditions Consumer Disclosures & Policies Privacy Policy Social Media Guidelines Media Protection Title IX/Sexual Misconduct Report Fraud, Waste & Abuse Sitemap
The appearance of U.S. Department of Defense visual information does not imply or constitute DOD endorsement.
Copyright © 2025 University of Maryland Global Campus. All Rights Reserved.

By using our website you agree to our use of cookies. Learn more about how we use cookies by reading our Privacy Policy.

|