Information Security

Vendor and Third Party Management

For the purposes of the CSU Security Program, third parties include, but are not limited to, contractors, service providers, vendors, and those with special contractual agreements or proposals of understanding.

CSU policies provide direction for managing third party relationships and granting access to various University resources including:

Remote Access

The CSU Information Security policy requires that third party contractors and consultants comply with CSU and Campus Information Security requirements, and that campus sponsors manage third party access. Access to campus information containing protected data may be proved only to those having a need for specific access in order to accomplish an authorized tast. For more information on remote access requirements and requesting accounts visit the Vendor or Third Party Remote Access and Accounts page.

Selecting a New Vendor

The Information Security Office should be involved early on in any contract for goods or services that may involve University Level 1 and Level 2 data.  Involving Information Security will assist in the successful selection of a product or vendor.

Managing Vendor Access

To determine access requirements for third parties, utilize the principles of need-to-know and least privilege.  

At a minimum, the following controls must be in place:

  • Access to protected information should be granted only after review and approval by an appropriate university official. Such approvals will only be granted where access is required for the employee to perform their job duties.
  • Individuals who have been authorized to access protected data must sign (via hand written or electronic signature) a confidentiality agreement.
  • Access request documents and confidentiality statements should be stored in a central location under the jurisdiction of campus sponsor.
  • External organizations (a data processor) that collect, process, store or dispose of protected information on behalf of CSU, Chico must have a written contract requiring the processor agrees only to act on the instructions of the campus and to abide by the information protections provisions appropriate for the information being processed.

IT Procurement Review (ITPR)

The Information Technology Procurement Review (ITPR) process is part of CSU, Chico’s commitment to making the resources and tools used on campus accessible and secure. Chancellor's Office policy requires the campus to purchase Electronic and Information Technology (E&IT) products that meet Section 508 Accessibility requirements. Systems and applications that are not accessible pose a risk to the campus if a student, faculty, staff, parent, or the public is unable to use them. 

For more information about the CSU Procurement policy visit the CSU System ATI Procurement Process page.

There are 3 main areas assessed as part of IT Procurement Review:

  1. Accessibility Risk

  2. Information Security Risk

  3. System Compatibility

An ITPR is required when you are purchasing any Electronic and Information Technology (E&IT), regardless of price. This includes equipment, software, or systems that can store, manage, control, manipulate or retrieve information for human interaction. In other words, any technology with a human interface. This includes everything from computers, to videos, web content and telecommunications products.

To complete the ITPR process you will need to obtain a Voluntary Product Accessibility Template (VPAT) from the vendor.  If protected/confidential data will be collected you also need to complete a Security Data Requirements Checklist (PDF)

Negotiating Contracts

Critical or protected information may only be shared with third parties when it is specifically permitted or required by law. There must be a written agreement between the parties that addresses the applicable laws, regulations, and CSU/campus policies, standards, and procedures. Security controls must also be implemented and followed to adequately protect the information asset.

The agreement must also require the third-party, and any of its subcontractors with whom it is authorized to share the data, to: share only the minimum information necessary, to securely return or destroy the personal information upon expiration of the contract, and to provide immediate notification to the campus, whenever there is a breach of Level 1 data.

Contract Language

The CSU has developed general provisions (PDF) or contract language which is required for the purchase of IT goods and services. Additionally, supplemental provisions (PDF) are required for contracts involving CSU data. It is highly recommended that the CSU General Provisions for IT Acquisitions and the Supplemental Provisions for IT Acquisitions are provided to perspective vendors before negotiations begin.  

On Campus Access

On-campus and remote access to information assets containing level 1 or level 2 data, as defined in the CSU Data Classification Standard (PDF), must be based on operational and security requirements. Information assets include not only the primary operational copy of the protected information assets, but also data extracts and backup copies.  

Limited Access Areas

Physical areas such as data centers and other locations on the campus where information assets containing protected data are processed or stored are defined as limited-access areas. Third parties must have their identity validated prior to accessing a limited access area, and must be escorted by an appropriate employee at all times.

Third parties must not be granted access to campus level 1 or level 2 information assets as defined in the CSU Data Classification Standard until the access has been authorized, a Confidentiality Agreement has been signed, appropriate security controls have been implemented, and a contract/agreement has been signed defining the terms for access.

Accessing Additional Resources