Third-Party Security Management Policy

Last Reviewed: October 6, 2022
Last Revised: October 6, 2022

  1. Introduction

    This policy aims to ensure that all contracts and agreements between the University of Denver and third parties have acceptable levels of information security and information governance processes to ensure that University data is protected and managed in line with statutory requirements and best practices.
    This policy applies to all vendors, contractors, consultants, partners, and third parties that use or have access to or manage information on behalf of the University.

  2. Policy Overview

    The University has established management practices to control security risks associated with third-party engagements.
    The University has established minimum security requirements for third-party access to its systems and data.

  3. Policy Process

    As part of its ongoing due diligence, the University conducts risk management assessments of its third-party relationships. It sets security requirements commensurate with the level of risk and complexity, including compliance and regulatory risks.

    1. Third-Party Management
      1. Security Review
        1. Perform pre-contract due diligence to assess the security of third parties and their system, application, or service – IT security, financial stability, reputation, etc. See Table 1 in Appendix A
        2. Security reviews of third-party relationships will be evaluated commensurate with the level of risk and complexity – based on third-party classification. See Table 1 in Appendix A
        3. InfoSec will review the security assessment and determine if the third party meets the University’s security requirements; if the third party does not meet to Universities expectations, compensating controls must be implemented and reassessed.
      2. Contracting Agreements
        1. Sign a Data Processing Addendum (DPA) if applicable.
        2. Minimum security requirements must be included in third-party contracts. The CISO will develop and maintain a set of security requirements included in third-party contracts. See Third-Party Contract Security Requirements.
        3. Third-party must sign a Non-Disclosure Agreement (NDA) before giving access to University systems and data.
      3. Third parties must be classified based on business criticality and data sensitivity it is expected to hold, process or access.
      4. The University has adopted a minimum set of security requirements for third-party access. See third-party access security requirements outlined in the Contractors and Vendors section of the User Account and Access Management policy.
      5. Third-party contracts must be tracked. Unless otherwise specified, the contract owner is designated as the DU Liaison.
      6. Third parties must perform periodic security reviews throughout the lifecycle of the relationship. See Table 3 in Appendix A.
      7. Upon contract termination, the University must work with the third party to have its data returned or destroyed.
         
    2. Compliance Requirements
      1. HIPAA Compliance – Contracts with third parties that handle protected health information (PHI) should adhere to the same general guidelines as other contractual relationships in which the University is involved.
      2. FERPA Compliance - Contracts with third parties that handle education records, including PII data (FERPA), shall adhere to the same general guidelines as other contractual relationships in which the University is involved.
      3. GDPR Compliance – Contracts with third parties that handle personal data (PD) from a European Union (EU) citizen are involved; the third party will likely have to adhere to GDPR, including honoring the rights of data subjects, including where data can or cannot be stored.
         
    3. Exceptions
      Exceptions to this policy must be reviewed and approved by IT management.

     

  4. Definitions
  • InfoSec: The University’s information security team.
  • DU Liaison: Typically, a business manager has requested/contracted with a third party.
  • Third Party: Vendors, contractors, and business partners the University has a contract with.

     

    Appendix A
    Table 1: Third-Party Assessment Process based on Data Classification

     


    Data Classification / Data Type

    Security Questionnaire / SOC2 or Equivalent

    InfoSec Review

    Can the unit accept risk?

    Public

    Recommended

    Optional/light review

    Yes

    Internal

    Recommended

    Yes/light review

    No

    Confidential

    Required

    Yes/standard review

    No

    Sensitive or Restricted
    (HIPAA / FERPA / PII / CUI / PCI / CPA)

    Required

    Yes/standard review + HIPAA/FERPA/PCI review requirements

    No

    Table 2: Third-Party Assessment and Contract Documentation


    Data Security Document

    Responsibility

    Description of requirement

    Request for third-party security review

    DU units

    Required at the start of third-party contracting process and when requesting IA data classification determination; or evaluation of alternative documentation from vendors.

    Minimum security requirements

    Procurement Services

    Minimum security requirements for contracts.

    Data Protection Addendum (or its equivalent)

    Procurement Services

    Required for all agreements and contracts where a third-party accesses, processes, or maintains any type of institutional data classified as Confidential and Sensitive; Recommended for data classified as Internal (or unit can accept risk); not required for data classified as Public.

    Security Questionnaire

    Procurement Services

    Required to be completed prior to contract award or agreements with prospective third-party that will access, process, or maintain data classified as Confidential or Sensitive.

    Third party security review memo

    InfoSec

    Review memo outlines any cybersecurity risks identified as part of the security review process, any recommendations and InfoSec’s disposition.

    Security exceptions

    InfoSec

    Identified third-party security issues are documented and signed of by DU Unit leadership and IT Leadership. Reviewed at least annually. Included in the cybersecurity risk report to senior leadership

    Payment Card Information Attestation of Compliance

    Merchant Services

    Required annually from a Qualified Security Assessor (QSA) (or be listed as a Level 1 provider on VISA website).

    Table 3: Third-Party Security Review


    Review Type

    Type of documentation needed/reviewed

    Outcome

    Security Light
    • Third-party provided application/service security information
    • Security Scorecard information
    • Third-party breach information
    • Add to security review tracking document

    Third-party security review memo (email)

    Standard Review
    • Third-party provided application/service security information
    • Security Scorecard information
    • Third-party breach information
    • On-site assessment (as needed)
    • Security Questionnaire or SOC reports
    • Add to security review tracking document

    Third-party security review memo (email or document)

    Periodic Reviews
    • Review risk assessments conducted by an unaffiliated third-party, DU Security Questionnaire or SOC 2 report
    • Review of SLA, breaches, security incidents
    • Ongoing third-party security performance
    • Vulnerability scans on third-party equipment connected to the University’s network
    • Any weaknesses or deficiencies identified during an independent or organizational assessment of a third party will require a plan from the third party for making the needed improvements
    • (As needed) Onsite reviews including walk-through/visual impaction of facilities, interview with onsite personnel and review of policies and procedures

    Third-party security review memo (email or document)

    Copyright © 2023.  All rights Reserved.