Issuing Authority: TP&PC (Technology Planning & Priority Committee)

Purpose

This policy aims to ensure that the college’s third-party service providers do their part to ensure the security of college systems and data by employing appropriately robust security controls for college data they create, process, transmit, and store. This policy is driven by the increasing threat environment and external pressures, such as increased audit and insurer scrutiny and stricter regulatory requirements. By establishing a reasonable and proactive approach to vendor security, we aim to minimize the risk of data breaches and other security incidents that could harm the college’s operations, reputation, or take resources away from instruction. This policy outlines the procedures and criteria for vetting potential vendors and assessing their security program maturity. By following these guidelines, we can offer helpful recommendations to campus risk decision-makers as they consider partnering with third-party service providers. A separate process is defined for evaluating vendor marketplace add-ons, plug-ins, and applications.

Vendor Evaluation Process

Scope

This process applies to all prospective cloud-hosted software-as-a-service (SaaS), platform-as-a-service (PaaS), or similar service providers. This is required if the service will:

  • Create, process, store, or transmit data classified as medium- or high-risk per the Data Classification Policy and Secure Data Handling Policy
  • Require a continuous integration with the college’s data systems
  • Require integration with College authentication systems

Timing and Documentation Requirements

As early as reasonably possible in the vendor selection process, the information security programs of finalists or short-listed vendors should be evaluated to determine if their programs have the appropriate elements and maturity for access to college data. The process begins by providing the IT security team with a completed Higher Education Community Vendor Assessment Tool (HECVAT). The questionnaire should be greater than or equal to version 2.0. It should be in Microsoft Excel format with all underlying formulas intact. The full questionnaire is required for any service processing high-risk data. The full or lite version of the questionnaire is acceptable for other data classifications. The requester should provide supporting documentation, specifically any documentation the vendor references in the questionnaire. 

Service Provider Evaluation Rubric

An IT security team member will review the HECVAT questionnaire and supporting documents. They will determine if the responses meet the requirements for access to the required data per the following evaluation rubric.

Access to High-Risk Data

Any vendor application that would create, process, store, transmit, or otherwise have access to high-risk data must meet these minimum requirements:

  1. Have full-time dedicated security staff. The organization must employ at least one full-time security professional, for whom security is their primary responsibility; specifically, security is 51% of their assigned duties.
  2. Conform to
    1. industry-standard frameworks (e.g., NIST)
    2. hold current industry-standard certifications (e.g., ISO27001), or 
    3. recently completed an industry-standard third-party assessment (e.g., SSAE) and
    4. provide supporting documentation to that effect
  3. Describe their secure coding practice in alignment with industry standards.

Certifications, audits, or self-assessments must correspond to the application in question and must not merely relate to the third-party cloud host, PaaS, or IaaS provider.

Access to Medium-Risk Data

Any vendor application that would create, process, store, transmit, or otherwise have access to medium-risk data, must meet these minimum requirements:

  1. Implement a next-generation firewall, web application firewall, or intrusion detection and prevention capabilities. At least one of these services should be implemented, and it should be a premium service beyond the basic security services provided by their cloud hosting provider.
  2. Implement a vulnerability management program that includes regular vulnerability scans and remediation process and procedures.

Authentication

Any application requiring integration with our authentication must conform to one of our preferred authentication methods.

Report

The reviewer will provide the report(s) to the requester. This report will indicate whether the vendor meets or fails to meet the evaluation criteria for the classification of the required data. 

If the vendor fails to meet any of the evaluation criteria, the report will describe how they fail to meet the criteria. For vendors who do not meet the requirements, the report will be provided to the requestor and their vice president. If there are no alternative products, the requestor and their Vice President can discuss the risks and benefits with the Technology Planning & Priorities Committee (TP&PC). This step should happen before moving forward with the vendor against the recommendations of IT and the IT security staff.

Re-evaluation

IT security staff will re-evaluate vendors if their security posture changes. This can be the case of a vendor that failed to meet requirements during vendor selection. This can also be the case of a contracted vendor-partner that has experienced a reported or reportable data breach.

Evaluation of Marketplace Applications

Scope

This process prescribes a separate process for evaluating products delivered through vendor marketplaces, such as WordPress Plugins, Moodle plugins, Zoom App Marketplace, Asana Apps and Applications, and the Slack Marketplace.

Process Initiation

Customers can request a product security evaluation in one of two ways:

  1. Request that the application be enabled in the vendor marketplace
  2. Contact the Help Desk or open an IT support ticket

Evaluation Rubric

An IT security staff member will evaluate the application based on the following criteria:

  1. There is no other approved application that provides the same services.
  2. The application requires only necessary permissions.
  3. The application has a relatively large install base.
  4. The application has a positive user rating.
  5. Most of the written reviews of the application are positive.
  6. There are no derogatory comments related to the security of the application.

If all of these statements are true for the application, it will be approved for use.

Approval

Upon successful evaluation against the rubric, the IT security staff will recommend the application for use. Final approval will be granted by an authorized administrator, who will then enable the application in the marketplace.

Revision History

Revision History Security oversight

Date of Change

Responsible

Summary of Change