Background
Third-party vendors play an important role in the support of hardware and software management and operations. Third parties may have the ability to remotely view, copy or modify data, correct software and operating system problems, monitor systems and fine tune system performance. Setting limits and implementing controls must be done to reduce risk to the university.
This standard is applicable to all third-party users (also called “affiliates”) connecting to the university’s network, either internally or via remote access.
Standard
The vendor contract must contain contractual language making adherence to this standard mandatory and the contract must include the Data Security Rider. The university department contracting with the third party is responsible and must insure the third party is compliant with the following standards:
- Affiliates must access the university network using the provided accounts.
- Affiliates must use the university provided VPN and must use university approved multi-factor authentication when accessing university IT resources.
- Servers located in a university owned data center must be separated on an isolated network within the data center and follow the best practices of Network Isolation and Segmentation.
- Affiliates must utilize access that is consistent with the principle of Least Privilege.
- Affiliates must comply with all university Policy, Procedures, Standards and Guidelines.
- Affiliates must comply with all federal and state laws and regulations including but not limited to FERPA, HIPAA, PCI-DSS and FISMA.
- Affiliates must complete a Non-Disclosure Agreement (NDA) prior to accessing Controlled or Restricted university data and affiliate sponsor must maintain all NDA records.
- Affiliates must use university data and IT resources only for the purpose as stated in the business agreement or contract.
- Affiliates must immediately report all information security incidents to the IT Helpdesk.
- Affiliates must follow all applicable university change control processes and procedures.
- Affiliates must use software that is properly licensed and appropriately up to date
- Affiliates must adhere to the Data Center Visitor Policy when accessing any university data center.
- Affiliates must adhere to the applicable safeguards in the Data Governance & Classification Policy.
- Affiliates must maintain user access and login information.
- Affiliates must provide Milligan IT with a list of all personnel working on the contract. The list must be updated and provided to Milligan IT within 48 hours of changes in personnel assignments.
- Affiliates must have a background check if working, accessing or have access to university restricted data as classified in the Data Governance & Classification Policy.
- Affiliates must be a citizen or a permanent resident (“green card”) of the United States of America. Non-immigrant foreign nationals are not permitted to have access to servers located in a university data center.