Welcome UNC-CH Guest | The University of North Carolina at Chapel Hill
Help | | What's New

Viewing: Information Technology Vendor Management Standard

Table of Contents


Current Status: Active PolicyStat ID: 5293990

Information Technology Vendor Management Standard

University Standard

Title

University of North Carolina at Chapel Hill Standard on Information Technology Vendor Management

Introduction

Purpose

To provide guidance for individuals and units on responsibilities for managing suppliers of Information Technology (IT) services, software, and systems. To manage risk to university information and other assets by creating clearer communication and understanding between vendors and University staff.  To define required security controls monitoring activities.

Scope of Applicability

All individual University Constituents and business/academic units involved in purchasing of IT services, software, and systems.

Standard

In accord with the University of North Carolina at Chapel Hill Policy on Responsibility for University-Purchased Goods, Services, and Equipment, this Standard addresses specific minimum requirements for the management of suppliers of IT services, systems, and software.  This Standard provides minimum requirements for units to maintain vendor compliance with the University IT security program. 

Individuals involved in obtaining IT services, software, and systems from outside suppliers are responsible for ensuring that suppliers are held to the terms of their agreement, provide all required deliverables, and adhere to the applicable requirements of University IT Policies, Standards, and Procedures.

Units must have a process in place to prioritize active management of specific vendors based on risk and criticality. Unit management may determine criteria for prioritizing vendors, but should take into account at least:

  • Classification of University information to which the vendor may have access, particularly Tier 2 or 3 (Use of a standard assessment or questionnaire to determine data classification may be used.)
  • risk to University (this may be based upon results of an internal risk-assessment or review of the vendor’s documentation, particularly any third-party assessment they are able to provide)
  •  vendor system design
  • and mission criticality of systems impacted by the vendor.

This evaluation should take place at selection of the vendor, and these criteria should be reviewed periodically during the term of each vendor’s engagement to account for changed circumstances.

Vendor Management Requirements

Vendors identified as top priorities by the unit must be managed, with appropriate documentation, according to at least the following minimum requirements:

Contract phase
  • The unit must maintain access to a copy of the active agreement as long as any provision may be enforceable.  For example, if a vendor has held University data that would require a Business Associate Agreement (BAA), then the unit must maintain the agreement and BAA in keeping with the University General Records Retention and Disposition Schedule and applicable law.  If the agreement is for the purchase of “perpetual” software licenses, then the agreement must be maintained for the life of the software in use by the unit.  If applicable, ensure that a copy of the BAA and underlying agreement have been submitted to the Institutional Privacy Office.  (If the unit is not the primary contract-holder, maintaining a summary of the relevant provisions from the primary contracting unit is sufficient.)
  • In collaboration with the appropriate University contracting unit, ensure the agreement contains terms suitable to protection of University data and systems involved (e.g. IT Security standards, indemnification for data breach, cyber-liability insurance, confidentiality, BAA, nondisclosure, return or destruction of data at termination, accessibility requirements, or other appropriate terms). Determine whether language beyond standard Terms & Conditions is needed to meet unit and University requirements.
  • Include in the contract any requirement for ongoing provision of information for review (updated security assessments, Voluntary Product Accessibility Template (VPAT), etc.) and any requirement to cooperate with audit, re-assessment, business continuity planning/testing, etc.
Monitoring
  • Maintain (and update at least annually) a list of top priority vendors for the University unit, and information including at a minimum:
    • Vendor contact name and information
    • Unit responsible-individual contact name
    • Goods or services provided
    • Direction to copy of agreement/terms and other critical vendor documentation
  • For each top priority vendor, at least annually:
    • Classify priority vendors according to category (general, sensitive information, mission-critical) and prioritize monitoring activities according to risk and criticality of services.
    • No less than annually, monitor vendor performance and key security controls in place for the vendor. (Security control monitoring may be limited to review of vendor security documentation and confirmation that any required training of vendor staff under the agreement has occurred, or ensuring that the primary contracting unit has done so). (See Information Security Controls Standard.)  Review should include at minimum:
      • Review the agreement terms/contract and document that review and any performance issues that need to be addressed
      • Confirm that vendor performs adequate business continuity planning and testing of services provided to the University (if applicable)
    • Ensure that vendor staff privileged access to University systems is reviewed in an effective way and/or confirm that vendors hosting University sensitive information have rigorous access review procedures in place.
    • Ensure that vendor staff performing IT changes to University systems follow University Change Management processes and/or confirm that vendors providing IT systems or services adhere to rigorous internal IT change management processes and communicate changes effectively to the University
    • Vendor documentation of their security program, when a risk assessment is involved, should be obtained at least annually and maintained in such a way that the unit has access to the documentation in accord with the General Schedule for Records Retention and Distribution.
    • Ensure that the unit has a responsible individual designated for management of the vendor relationship.  Ensure that this individual is able to facilitate required University incident reporting and management by the vendor.

Exceptions

This Standard shall be treated as advisory rather than mandatory until one year after its initial authorization. (This does not supersede existing requirements under law or current University policy).

Other exceptions must be authorized in writing by the Chief Information Officer or their designee(s), or Chief Information Security Officer.

Definitions

University Constituent: UNC-Chapel Hill faculty, staff, students, retirees and other affiliates, contractors, distance learners, visiting scholars and others who use or access UNC-Chapel Hill resources.

Related Requirements

External Regulations and Consequences

Health Insurance Portability and Accountability Act (HIPAA)

Federal Trade Commission Red Flags Rule

University Policies, Standards, and Procedures

Policy on Responsibility for University-Purchased Goods, Services, and Equipment

Policy on Information Security

Information Security Controls Standard

Enterprise Data Governance Policy

Enterprise Data Governance Standard

Information Classification Standard

Policy on Prohibition of Gifts or Favors from Vendors

Policy on Purchased Goods as Property of the State

Contact Information

Primary Contact

ITS Policy Office its_policy@unc.edu

Other Contacts

Institutional Privacy Office, For BAA process assistance privacy.unc.edu, privacy@unc.edu

Issue with vendor performance, contact Purchasing Services

purchasing_team@unc.edu
All revision dates: 9/18/2018
Attachments:

Approval Signatures

Step Description Approver Date
Publication Kim Stahl: Senior Policy and Process Lead 9/18/2018
Publication Matthew Teal: University Program Specialist 9/18/2018
Approval by Issuing Officer Dennis Schmidt: AVC for Institutional Privacy and CISO 9/18/2018
Finalize feedback Kim Stahl: Senior Policy and Process Lead 9/12/2018
University Policy Review Committee Jennifer Deneal: Administrative Director 9/12/2018
Incorporate feedback Kim Stahl: Senior Policy and Process Lead 9/11/2018
Administrative Review Philip Garriss: Information Systems Auditor 9/11/2018
Administrative Review Matthew Teal: University Program Specialist 9/11/2018
Administrative Review Lee Bollinger: Associate University Counsel 9/10/2018
Review by Key Stakeholders Kim Stahl: Senior Policy and Process Lead 9/10/2018
Step Description Approver Date
Publication Kim Stahl: Senior Policy and Process Lead 9/18/2018
Publication Matthew Teal: University Program Specialist 9/18/2018
Approval by Issuing Officer Dennis Schmidt: AVC for Institutional Privacy and CISO 9/18/2018
Finalize feedback Kim Stahl: Senior Policy and Process Lead 9/12/2018
University Policy Review Committee Jennifer Deneal: Administrative Director 9/12/2018
Incorporate feedback Kim Stahl: Senior Policy and Process Lead 9/11/2018
Administrative Review Philip Garriss: Information Systems Auditor 9/11/2018
Administrative Review Matthew Teal: University Program Specialist 9/11/2018
Administrative Review Lee Bollinger: Associate University Counsel 9/10/2018
Review by Key Stakeholders Kim Stahl: Senior Policy and Process Lead 9/10/2018
Older Version Approval Signatures