Introduction

  1. Purpose: This policy outlines the best practices for managing IT vendors at Rockhurst University to ensure the security and safety of student (FERPA), employee, and financial information.
  2. Scope: This policy applies to all IT vendors engaged by Rockhurst University.

Vendor Selection

  1. Evaluation Process: A comprehensive evaluation process will be followed to select vendors based on their capabilities, experience, and security measures.
  2. Security Assessment: Vendors must undergo a thorough security assessment to ensure they have appropriate controls in place to protect sensitive information.
  3. Contractual Requirements: Contracts with vendors should include clauses that outline their responsibilities for protecting data confidentiality, integrity, and availability, including compliance with the Family Educational Rights and Privacy Act (FERPA).

Security and Privacy Requirements

  1. Data Protection: Vendors must implement appropriate technical and organizational measures to safeguard student (FERPA), employee, and financial data against unauthorized access, disclosure, alteration, and destruction.
  2. Compliance with Laws and Regulations: Vendors must comply with relevant data protection laws, including FERPA, regulations, and industry standards.
  3. Incident Response: Vendors must have an incident response plan in place to effectively respond to security incidents and minimize their impact.

Documentation and Testing

  1. Required Documentation:
  1. Security Policies: Vendors should provide their security policies, including information on access controls, data classification, incident response, and disaster recovery.
  2. Risk Assessment: Vendors should conduct regular risk assessments to identify potential vulnerabilities and implement appropriate controls.
  3. Security Awareness Training: Vendors should provide evidence of security awareness training for their employees.
  4. Third-Party Audits: Vendors should provide documentation from independent third-party audits to validate their security practices.
  1. Testing:
  1. Vulnerability Assessments: Vendors must conduct regular vulnerability assessments to identify and address security weaknesses.
  2. Penetration Testing: Vendors should perform periodic penetration tests to identify vulnerabilities that could be exploited by malicious actors.
  3. Compliance Audits: Vendors must undergo regular audits to ensure compliance with security and privacy requirements.

 

Ongoing Vendor Management

  1. Vendor Classification:
  1. Critical Vendors: Vendors providing services critical to Rockhurst University's core operations, such as student information systems or financial systems, will receive heightened scrutiny and monitoring.
  2. Non-Critical Vendors: Vendors providing services that are less critical, such as office supplies or non-sensitive software, will still undergo assessment and monitoring but to a lesser extent.
  1. Review and Monitoring:
  1. Critical Vendor Review: Critical vendors will undergo periodic reviews at least annually, focusing on their security controls, incident response, and compliance with contractual obligations.
  2. Non-Critical Vendor Monitoring: Non-critical vendors will be monitored periodically to ensure ongoing compliance with security and privacy requirements.
  1. Incident Reporting: Vendors must promptly report any security incidents or breaches that could impact the confidentiality, integrity, or availability of Rockhurst University's data.
  2. Contractual Review: Vendor contracts, especially those with critical vendors, should be periodically reviewed and updated to reflect changes in security requirements, technology, and legal/regulatory landscape.

Termination and Transition

  1. Exit Strategy: Vendor contracts should include provisions for an orderly termination process, including the return or destruction of all sensitive data.
  2. Data Backup: Vendors should provide a comprehensive data backup plan to ensure the availability and recoverability of Rockhurst University's data upon termination.

Vendor Rating

  1. Criticality Assessment: Vendors providing critical services will be rated based on their importance to Rockhurst University's core operations and the potential impact of their service disruptions.
  2. Performance Evaluation: Critical vendors will undergo regular performance evaluations, assessing their service quality, responsiveness, and compliance with contractual obligations.

Training and Awareness

  1. Training Programs: Rockhurst University may provide training programs to educate employees about the importance of vendor management, security risks, and their responsibilities in maintaining data confidentiality.
  2. Awareness Campaigns: Regular awareness campaigns will be conducted to keep employees informed about the potential risks associated with vendor engagements.

Compliance and Enforcement

  1. Non-Compliance: Non-compliance with this policy may result in termination of vendor contracts and legal actions if necessary.
  2. Policy Review: This policy will be periodically reviewed and updated to reflect changes in technology, regulations, and best practices.

Note: This policy provides a general framework for IT vendor management specific to Rockhurst University's requirements. It is advisable to consult with legal, security, and compliance professionals when implementing and customizing vendor management practices.