IT Vendor Management Policy

Effective Date January 28, 2025 Policy Owner Information Technology Services (ITS)
Last Reviewed Date January 28, 2025 Approved By President's Council
Review Cycle Annual Policy Contact Information Security & Compliance Analyst

Purpose

The purpose of the IT Vendor Management Policy is to establish a framework for managing relationships with IT Vendors, including consultants and contractors who require access to IT systems; and to ensure that the security and privacy practices of vendors are appropriate and consistent with the risks their products/services may entail. This policy aims to safeguard restricted or confidential information as defined in the New York Tech Data Classification Matrix by enforcing consistent standards for vendor selection, risk assessment, and ongoing management.

Policy Scope

This policy applies to all IT Vendors providing IT products, services, or solutions that involve access to, or handling of, university data including cloud services, managed IT services, software vendors, hardware vendors, vendors whose solution requires access to the New York Tech network and any other IT-related service. This policy also applies to consultants and contractors who require access to university systems, networks, or data. All university departments engaging IT Vendors for IT-related services, products or solutions must adhere to this policy.

Policy Statement

The university is committed to:

  1. Maintaining the confidentiality, integrity, and availability of university data, with specific emphasis on regulatory restricted data, including Controlled Unclassified Information (CUI) and Protected Health Information (PHI).
  2. Ensuring that all IT vendors, consultants, and contractors comply with contractual terms, applicable regulatory obligations and New York Tech security/privacy standards.
  3. Conducting thorough risk assessments for all IT vendors, consultants, and contractors prior to engagement.
  4. Establishing formal agreements, including Independent Contractor Agreements and Business Associate Agreements (BAAs) where required, to define responsibilities regarding data protection, security/privacy requirements, compliance obligations, and audit rights.
  5. Monitoring and auditing performance to ensure ongoing compliance and security.
  6. Terminating relationships with parties that fail to meet contractual or regulatory obligations.

Procedures

  1. IT Vendor Selection and Risk Assessment:
    • Prior to selecting a vendor, a comprehensive risk assessment will be conducted by Information Technology Services, to ensure the security and privacy practices of the vendor are appropriate and consistent with the risks their products, services or access may entail.
    • The risk assessment will include an evaluation of the vendor's security practices, past performance, contractual language, financial stability, and experience in handling sensitive data.
    • Vendors must provide documentation of their compliance with NIST 800-171 and HIPAA regulations, including applicable certifications, audit reports, or other compliance evidence if appropriate and requested.
  2. Contractual Requirements:
    • All contracts with IT vendors must include clauses related to data protection, access control, breach notification, and the handling of sensitive data in accordance with university standards.
    • A Business Associate Agreement (BAA) must be executed for any vendor handling PHI to ensure compliance with HIPAA's security and privacy provisions.
    • Contracts will clearly define roles, responsibilities, and procedures for handling security incidents, breaches, or violations associated with the vendor's activities.
    • Vendor personnel, contractors and consultants who require access to university systems, network or data must be approved by appropriate New York Tech personnel and must adhere to all New York Tech data security and privacy standards.
  3. Data Security and Access Controls:
    • Access to university systems and data will be granted based on the principle of least privilege.
    • All access granted for vendors will be created with a set expiration date.
    • Multi-factor authentication (MFA) is required for access to sensitive systems and data.
    • Encryption for data in transit and at rest will be implemented by all parties as appropriate.
  4. Ongoing Monitoring and Auditing:
    • The university will regularly monitor vendors to ensure regulatory requirements are met and compliance with applicable security controls.
    • Vendors will be required to submit security audits, vulnerability assessments, and compliance reports and or evidence of their security program upon request.
    • Periodic vendor performance evaluations will assess compliance with contractual obligations as well as changes in regulatory or university requirements.
  5. Incident Management and Reporting:
    • Vendors are required to immediately report any security incidents, breaches, or compromises that affect the university systems or data.
    • In the event of a security breach, the vendor must cooperate fully with the university's investigation and response efforts, including providing access to logs, records, and any other required information.
    • A clear process for reporting, investigating, and resolving incidents will be defined in vendor contracts.
  6. Vendor Termination:
    • Upon termination, the vendor must securely return or destroy any university data, ensuring that no data is retained beyond the agreed-upon period.
    • New York Tech will require certification of the removal or destruction of university data.

Related Internal Policies

This policy is also meant to complement all other university policies related to vendor acquisition and management, including but not limited to the purchasing policy, PCard policy, grant funding restrictions, federal, state and other local laws, and any other special guidance imposed by a restricted funding source.

Regulatory References

The following are references to related Federal and State laws, policies, guidelines, and resources on cyber security.

Violations

Non-compliance with this policy by university staff, contractors, or vendors may result in disciplinary action, up to and including termination of employment or contract. Vendors found to be in violation of contractual obligations or regulatory requirements may face penalties, including termination of their contract and legal action.