黑料视频

Helpful Links

Navigate OHIO

Connect With Us

Tech Help Desk
Alden Library 4th floor
30 Park Place
Athens, OH 45701

Third-party vendor management standard

Purpose   

The use of third-party vendor management enables the University to take advantage of economies of scale along with increased levels of efficiency, quality, security, and compliance. However, the outsourcing of Information Technology ("IT") services also creates risks for the University if the use of the technology and the information security posture of the service and vendor is not carefully evaluated. Such an evaluation reduces risk and provides for the confidentiality, integrity, availability and privacy of all members and associates of the University community as well as Information Technology Systems (鈥淥HIO Systems鈥). This standard establishes fundamental security guidelines, requirements and procedures that support the mandatory protection of information assets for business, contractual, regulatory, and legal reasons.   

Scope 

This standard will apply to all OHIO Systems and assets, employees, vendors, and agents operating on behalf of the University. Outsourced IT services that are used to store, process, or transmit university data shall be subject to review regardless of cost, payment method, or funding source. 

Individual business units and colleges may choose to have additional security and controls that are greater than those outlined in this standard.   

Standard 

Data security is regulated by Federal, State, and Local laws and regulations, as well as university policies, procedures, and standards.  A review of the service and vendor will occur prior to the acquisition and implementation of a solution, and periodically upon renewal, to ensure that the university is able to fulfill its responsibility for the protection of data. 

In all situations where University data or OHIO Systems are to be accessed by, or shared with a third-party vendor, University units and all individual faculty, staff, and associates sponsoring the solution must ensure that an assessment of the vendor鈥檚 security posture is achieved through the following requirements. 

Review Process Requirements:

  1. If the vendor or service will access University data and can be classified as IT expertise or labor, hardware/infrastructure, storage, operating environment, application environment, other cloud-based service, or subscription, the acquisition process will be on hold until the process is completed.
  2. The Vendor Review process will be completed on a weekly basis by a work group consisting of representatives from Information Security, Digital Accessibility, and other stakeholders in the IT procurement process. Technology reviews are dependent on the responsiveness of a given vendor to the work group鈥檚 request for information. Additionally, solutions that access sensitive or restricted data may take longer to obtain approval than solutions that do not access sensitive or restricted data.
  3. Upon approval of a vendor/solution, the unit sponsor will be notified via email, a comment within the technology review ticket, or an approval message through the university procurement system.
  4. The unit sponsor(s) should be aware that certain types of data require the University to comply with external mandates for protected information compliance. Such mandates include, but are not limited to:
    1. Student Records -Federal Educational Rights and Privacy Act ("FERPA") 鈥 contracts involving the handling of FERPA data must include additional FERPA contract language.
    2. Health Insurance Portability and Accountability Act ("HIPAA") 鈥 contracts involving the third-party handling of protected health information ("PHI") require a Business Associate Agreement with the third party.
    3. Payment Card Industry Data Security Standards ("PCI-DSS") 鈥 contracts involving the processing of credit card payments and related services within the scope of PCI-DSS must include PCI compliance contract language.   
  5. Technology Reviews will only cover a single use case and are always required upon new solution acquisition; changes in scope or use cases for current solutions changes in system design or controls business transfer, merger, or acquisition; and upon the renewal of current solutions.
  6. Periodic review of a vendor鈥檚 security posture and continued compliance will be conducted as needed, based upon changes in system use, design or controls, contract renewal or business transfer, merger, or acquisition.

Vendors will be evaluated by the Technology Review Workgroup (TRW) based on their internal controls policies and practices as it relates to the areas of compliance with the law; ownership of data; non-disclosure/confidentiality of data; basic security provisions; breach notification processes and associated liability; access and return of data upon contract termination; response to legal requests for data; the geographic location of data; and the use of subcontractors. Additionally, data with a sensitivity rating of high as outlined in the university policy Data Classification (93.001), the vendor鈥檚 audit of the security of the service (SOC 2, HECVAT or similar report), and the vendor鈥檚 compliance with performing periodic risk assessments will be evaluated as part of the review.

Definitions 

Federal Educational Rights and Privacy Act (FERPA): a federal law that protects the privacy of student education records.

Health Insurance Portability and Accountability Act (HIPAA): a federal law enacted in 1996 that sets standards for protecting sensitive health information from being disclosed without the patient's consent. It includes the Privacy Rule, which governs the use and disclosure of protected health information (PHI), and the Security Rule, which sets standards for securing electronic PHI

Payment Card Industry Data Security Standard (PCI-DSS): a set of security standards designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

SOC2: Abbreviation for System and Organization Controls 2. This is a security framework developed by the American Institute of Certified Public Accountants (AICPA). It specifies how organizations should manage customer data based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC2 reports are used to assess the effectiveness of an organization's controls in these areas.

HECVAT: Abbreviation for the Higher Education Community Vendor Assessment Toolkit. This is a questionnaire designed to help higher education institutions assess the security, privacy, and compliance standards of third-party vendors. It aims to streamline the procurement process and ensure that vendors meet the necessary cybersecurity requirements

References 

Policy 91.006 Information Security Risk Management

Policy 91.005 Information Security  

Policy 93.001 Data Classification

NIST 800 Series Publications

Exceptions  

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.  

Request an exception:  

Complete: Exception request form.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:

  • Audit Risk & Compliance: Josh Gonzalez, Chief Privacy Officer
  • Audit Risk & Compliance: Larry Wines, Director of Enterprise Risk Management & Insurance
  • Faculty: Hans Kruse, Instructor; Emeritus (Scripps College)
  • Faculty: Brian McCarthy, Professor; Senior Associate Dean (College of Arts & Sciences)
  • Faculty: Shawn Ostermann, Associate Professor (College of Engineering)
  • Faculty: Bruce Tong, Assistant Professor of Instruction (Scripps College)
  • Finance: Julie Allison, Associate Vice President, Finance
  • Human Resources: Michael Courtney, Senior Associate General Counsel/Director of Employee & Labor Relations
  • Information Technology: Ed Carter (Chair), Chief Information Security Officer and Senior Director, Information Security & Digital Accessibility
  • Regional Higher Education: Larry Tumblin, Director of Information Technology for Regional Higher Education

History  

Draft versions of this policy were circulated for review and approved on February 3, 2022.

Draft revisions of this policy were circulated for review and approved on May 16, 2025.