Summary
Ensures secure engagement with vendors, suppliers, and third parties through evaluation, assessing risks, managing contracts, controlling access, and maintaining documentation.
Body
VENDOR, SUPPLIER, AND THIRD-PARTY SECURITY POLICY
Policy Objective
This policy is to ensure secure engagements with, and the secure acquisition of services and assets from, vendors, suppliers, and other third-party entities.
Scope
All vendors, suppliers, and other third parties and the systems, assets, and areas they may access or that may be acquired from them.
Policy
Section 1 – Evaluation
-
All vendors, suppliers, and other third parties shall be evaluated for suitability of purpose.
-
All vendors, suppliers, and other third parties that process, store, or otherwise interact with Parkland College data shall be evaluated for risk related to systems, components, and services provided.
-
Evaluations of vendors, suppliers, and third-party partners shall be documented.
Section 2 – Assessment
-
All vendors, suppliers, and other third parties providing products or services that process, store, or otherwise interact with sensitive data or require access to Parkland College networks or assets shall be assessed for risk using a formalized vendor assessment process.
-
Vendors of hosted software and services that are considered critical to operations shall be assessed for response and recovery planning.
-
Vendor assessments shall be documented and reviewed on a regular basis.
Section 3 – Contracts
-
Wherever possible, contracts shall be maintained with vendors, suppliers, and third-party partners to ensure implementation of appropriate measures to mitigate and control risk.
-
Wherever possible, contracts and service agreements shall include appropriate provisions related to product and/or supply chain security, regulatory compliance, accessibility, and other related details.
-
Vendor contracts must be reviewed on a regular basis to confirm the contractual obligations are being met.
Section 4 – Access
-
Every third party or vendor with access to secure physical areas must be escorted.
-
Every agent of the vendors or third parties with access to the Parkland College network, data, or other information assets must agree to, and sign, the Responsible Use Policy prior to access being granted.
-
Any vendor access given to the Parkland College network, data, or other information assets shall be governed by the Access Control Policy and related Standards.
-
No vendor or third party shall retain access to Parkland College secure physical areas, network, data, or other information assets beyond the expiration of the associated agreement, engagement, or contract governing the relationship with the vendor or third party.
-
Every account, access card, or credential given to a vendor shall be temporary in nature.
Section 5 – Vendor and Service Provider Management
-
An inventory of vendors and service providers being engaged or used by Parkland College must be actively maintained.
-
Every vendor and service provider must be classified based on potential risk to the organization.
-
A lifecycle for vendors and service providers must be maintained and must include processes for decommissioning the vendors and service providers and the disposal of any data they may have in their possession.
Standards:
ISP-12 - Vendor and Service Provider Evaluation and Assessment Standard (login required)