Information Security Standards

THIRD-PARTY ACCESS

GENERAL

Vendors and other third parties play an important role in the support of hardware and software management, and operations for customers. Vendors may have the capability to remotely view, copy, and modify data and audit logs. They might remotely correct software and operating systems problems; monitor and fine tune system performance; monitor hardware performance and errors; modify environmental systems; and, reset alarm thresholds. Setting limits and controls on what can be seen, copied, modified, and controlled by vendors will eliminate or reduce the risk of liability, embarrassment, and loss of revenue and/or loss of trust to the University.

APPLICABILITY

This procedure applies to vendor-accessible university information systems. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with vendor access. The procedures described herein apply to all departments, administrators, and vendors who are responsible for vendor supplied information resources.

This procedure does not apply to third parties who access university data that is already exposed to the public, such as the university website.

PROCEDURES

1. Personnel who provide vendors access to University information systems shall ensure vendor compliance with all applicable University policies, practices, standards, and agreements including, but not limited to: safety policies, privacy policies, security policies, auditing policies, software licensing policies, responsible use policies, and other University information security standard administrative procedures.

2. Vendors who are given access to any non-public University information systems shall have agreements and contracts that define:

a. The University information to which the vendor should have access;

b. How University information is to be protected by the vendor;

c. Acceptable methods for the return, destruction, or disposal of University information in the vendor's possession at the end of the contract;

d. That use of University information and information resources are only for the purpose of the business agreement. Any other University information acquired by the vendor in the course of the contract cannot be used for the vendors own purposes or divulged to others; and,

e. Vendors shall comply with terms of applicable non-disclosure agreements.

3. Texas A&M University-Commerce shall provide an information resources point of contact to the vendor. The point of contact will work with the vendor to make certain the vendor is in compliance with University policies.

4. Each vendor shall provide A&M-Commerce with a list of all employees assigned to University contracts. The list shall be updated and provided to the University within 24 hours of staff changes. Failure to notify the university of staff changes may cause the vendor to incur additional liability if information is released.

5. Appropriate access authorization for each onsite vendor employee (i.e., University affiliate) shall be specified by the resource owner according to the criticality of the information resource.

6. Vendor personnel shall report all security incidents to the Information Technology Help Desk.

7. The responsibilities and details of any vendor management involvement in University security incident management shall be specified in the contract.

8. The vendor must follow all applicable university change control processes and procedures.

HISTORY

Last Updated March 31, 2014