Vendor and Third Party Management
For the purposes of the CSU Security Program, third parties include, but are not limited to, contractors, service providers, vendors, and those with special contractual agreements or proposals of understanding.
CSU policies provide direction for managing third party relationships and granting access to various University resources including:
- Remote Access
- Selecting a New Vendor
- Managing Vendor Access
- Negotiating Contracts
- On Campus Access
- Accessing Additional Resources
The Information Security Office should be involved early on in any contract for goods or services that may involve University Level 1 and Level 2 data. Involving Information Security will assist in the successful selection of a product or vendor.
To determine access requirements for third parties, utilize the principles of need-to-know and least privilege.
At a minimum, the following controls must be in place:
- Access to protected information should be granted only after review and approval by an appropriate university official. Such approvals will only be granted where access is required for the employee to perform their job duties.
- Individuals who have been authorized to access protected data must sign (via hand written or electronic signature) a confidentiality agreement.
- Access request documents and confidentiality statements should be stored in a central location under the jurisdiction of campus sponsor.
- External organizations (a data processor) that collect, process, store or dispose of protected information on behalf of CSU, Chico must have a written contract requiring the processor agrees only to act on the instructions of the campus and to abide by the information protections provisions appropriate for the information being processed.
IT Procurement Review (ITPR)
For more information about the CSU Procurement policy visit the CSU System ATI Procurement Process page.
There are 3 main areas assessed as part of IT Procurement Review:
- Accessibility Risk
- Information Security Risk
- System Compatibility
An ITPR is required when you are purchasing any Electronic and Information Technology (E&IT), regardless of price. This includes equipment, software, or systems that can store, manage, control, manipulate or retrieve information for human interaction. In other words, any technology with a human interface. This includes everything from computers, to videos, web content and telecommunications products.
To complete the ITPR process you will need to obtain a Voluntary Product Accessibility Template (VPAT) from the vendor. If protected/confidential data will be collected you also need to complete a Security Data Requirements Checklist
Crititical or protected information may only be shared with third parties when it is specifically permitted or required by law. There must be a written agreement between the parties that addresses the applicable laws, regulations, and CSU/campus policies, standards, and procedures. Security controls must also be implemented and followed to adequately protect the information asset.
The agreement must also require the third-party, and any of its subcontractors with whom it is authorized to share the data, to: share only the minimum information necessary, to securely return or destroy the personal information upon expiration of the contract, and to provide immediate notification to the campus, whenever there is a breach of Level 1 data.
The CSU has developed general provisions or contract language which is required for the purchase of IT goods and services. Additionally, supplemental provisions are required for contracts involving CSU data. It is highly recommended that the CSU General Provisions for IT Acquisitions and the Supplemental Provisions for IT Acquisitions are provided to perspective vendors before negotiations begin.
On-campus and remote access to information assets containing level 1 or level 2 data, as defined in the CSU Data Classification Standard, must be based on operational and security requirements. Information assets include not only the primary operational copy of the protected information assets, but also data extracts and backup copies.
Limited Access Areas
Physical areas such as data centers and other locations on the campus where information assets containing protected data are processed or stored are defined as limited-access areas. Third parties must have their identity validated prior to accessing a limited access area, and must be escorted by an appropriate employee at all times.
Third parties must not be granted access to campus level 1 or level 2 information assets as defined in the CSU Data Classification Standard until the access has been authorized, a Confidentiality Agreement has been signed, appropriate security controls have been implemented, and a contract/agreement has been signed defining the terms for access.
CSUC Guidelines & Contract Language
CSU Policies and Standards
8060.S000 Access Control (PDF)ICSUAM Policy 8080.0 - Physical Security