General
This section implements .
Management of Third Parties
Any third party that requires access to the University’s information assets must undergo a risk assessment in accordance with Section 2 of this plan. If the third party will require access to , the third party risk assessment must be conducted by the Information Security Officer or designee, in consultation with ITS Leadership.
Annually, the Information Security Officer or designee will review third parties with access to the University’s information assets to verify that the access is still required for business needs.
Granting Access to Third Parties
No third party service provider may receive access to University information assets unless they require that access for a legitimate and documented business need. In any case, each third party service provider may only receive access that is required to accomplish the documented business need. No other access may be provided.
Each third party service provider requiring access to University information assets must have a contractual relationship with the University. The contract must include specific provisions requiring the service provider to protect the University’s information. If a third party will store or transfer , the contract must also include provisions to ensure the secure destruction or disposal of this data.
The Information Security Officer or designee will participate in such contract negotiations to ensure the implementation of appropriate security controls.