Purpose
The IT Vendor/Third Party Access Policy informs DeSales University (DSU) management, business owners, IT project teams and support staff of the DSU requirements for vendor access to DSU Information Systems.
The policy defines vendor responsibilities for the protection of DSU information and information systems
Scope
The IT Vendor Access Policy applies to all individuals and/or parties that are responsible for the installation of new DSU Information System assets, and the operations and maintenance of existing DSU Information Systems, and who do or may allow vendor access for support, maintenance, monitoring and/or troubleshooting purposes.
Policy
- Vendor access to DSU Information Resources is granted solely for the work contracted and for no other purposes.
- Vendors must comply with all applicable DSU policies, practice standards and agreements, including, but not limited to:
- Privacy Policies
- Security Policies
- Auditing Policies
- Software Licensing Policies
- Code of Conduct
All relevant policies are available from the Information Technology website located on the MyDSU Portal.
- Vendor agreements and contracts must specify:
- The DSU information the vendor should have access to. If, at the time of contract negations this is unknown or ambiguous, mention of this should be made in the agreement.
- How DSU information is to be protected by the vendor. A copy of the Vendor's Security and Privacy Policy should be made available to DSU where appropriate.
- Acceptable methods for the return, destruction or disposal of DSU information in the vendor's possession at the end of the contract.
- Agreement that the Vendor must only use DSU information and Information Systems for the purpose of the business agreement.
- Any other DSU information acquired by the vendor in the course of the contract cannot be used for the vendor's own purposes or divulged to others.
- Where applicable, IT will provide a technical point of contact for the vendor. The point of contact will work with the vendor to ensure the vendor is in compliance with DSU policies.
- Where applicable, the business owner will provide the vendor with a point of contact from within the relevant area. The internal point of contact is responsible for liaising with IT for all relevant technology processes.
- Before the commencement of the agreement, methods for:
- The monitoring and review of service performance,
- logging activities,
- submission of vendor reports and,
- roles and responsibilities regarding problem management
- Each vendor must provide IT with a list of all employee names working on the contract. The list must be updated and provided to IT within 24 hours of staff changes, wherever possible.
- Vendor access must be uniquely identifiable and password management must comply with DSU security policies.
- All vendor maintenance equipment on the DSU network that connects to the internet via any means, and all vendor accounts, will remain disabled except when in use for authorized maintenance.
- Upon departure of a vendor or vendor employee from the contract for any reason, the vendor will ensure that all sensitive information is collected and returned to IT or destroyed within 24 hours.
- Upon termination of contract, or at the request of DSU, the vendor will return or destroy all DSU information and provide written certification of that return or destruction within 24 hours.
- Vendors are required to comply with all regulatory and DSU auditing requirements, including the auditing of the vendor's work.
- All software used by the vendor in providing service to DSU must be properly inventoried and licensed.
- Each vendor granted access to any DSU Information System agree that each individual:
- Has read and understands the security policies
- Understands the responsibility to comply.
- Understands the consequences of an infraction.
- Vendors who work on-site must comply with all physical security policies, and must register with campus police when visiting campus