Third Party Risk Management Program

ITS STAFF ONLY

Third Party Risk Management Monitoring, Governance, and Breach Response Policy

1. Introduction This policy outlines the requirements for ongoing monitoring, governance, and response to cybersecurity incidents involving third-party service providers, following the Department of Education’s interpretation of the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. The policy integrates internal tools, processes, and existing USD governance frameworks to ensure the security and integrity of sensitive and restricted data.

2. Purpose The purpose of this policy is to establish guidelines and procedures for assessing, monitoring, and responding to cybersecurity risks and data breaches posed by third-party service providers (TPSPs). These guidelines ensure compliance with the GLBA, safeguarding sensitive information, and protecting against unauthorized access or disclosure.

3. Scope This policy applies to all third-party service providers that handle or access the institution’s sensitive and restricted data. This includes cloud service providers, managed service providers (e.g., Red Canary), and software vendors. The policy also covers the use of Microsoft Teams, SharePoint, and Google Workspace, as defined in the Data Sharing Policy.

4. Roles and Responsibilities

• IT Security Team: Responsible for ongoing monitoring of TPSP activities, incident response, and ensuring compliance with this policy.
• CISO: Manages governance, risk assessments, and reviews contracts with TPSPs, ensuring security requirements are met.
• Vendors: TPSPs are required to comply with security and data protection standards outlined in this policy.
• IT Security Team Oversees the classification, protection, and usage of institutional data in coordination with other teams.

5. Vendor Onboarding and Risk Assessment

• Vendor Selection: The security team reviews all new software or service requests (as per the Reviewing Software Requests policy) assessing the risk based on the sensitivity of data handled by the vendor and their security posture.
• Risk Assessment: All TPSPs undergo an initial risk assessment covering security controls, encryption, and incident response capabilities. High-risk vendors must demonstrate compliance with industry standards such as SOC 2 Type II or ISO 27001.

6. Ongoing Monitoring

• Monitoring Tools: The institution uses Microsoft Sentinel, Cisco XDR, and Defender XDR to monitor and log TPSP activities and potential threats. Alerts are centralized and worked by Red Canary and the IT Security Team.  Data breach incidents are handled as per Security Incident Response - Data Breach Playbook
• Data Classification and DLP: Microsoft Purview enforces data classification and Data Loss Prevention (DLP) for sensitive and restricted data shared via Microsoft Teams, SharePoint, and Google Workspaces.
• Cloud Protection: Defender for Cloud Apps, Cisco Umbrella,  and Red Canary Cloud Protection continuously monitor TPSP interactions with cloud services, alerting on suspicious activities.

7. Governance and Compliance

• Contractual Obligations: TPSP contracts must include data security, breach notification, and compliance requirements as stipulated by the GLBA Safeguards Rule​.  The SDBOR DPA should be attached whenever possible.  These contracts are stored centrally in our ITSM tool, Team Dynamix.
• Data Governance Review: Periodic reviews, at minimum yearly, occur to ensure that TPSPs align with the institution’s data protection policies and governance standards.  Breach lists, Defender for Cloud Apps posture checks, and Umbrella posture checks will be used to monitor vendors.  Compliance is reported to the CISO for further action as needed.

8. Incident Response and Breach Notification

• Incident Response Plan: In the event of a data breach involving TPSPs, the institution follows the Security Incident Response - Data Breach Playbook Key steps include identifying the breach, containing the damage, notifying stakeholders, and reporting to regulatory authorities such as the Department of Education.
• Breach Notification: TPSPs must notify the institution within 24 hours of discovering a breach. The institution’s IT Security Team will then notify affected individuals and regulatory bodies in accordance with state and federal laws, including South Dakota breach notification requirements.
• Root Cause Analysis: Following a breach, a root cause analysis will be conducted, and TPSPs must submit a post-incident report outlining remedial actions taken.

9. Audits and Reviews

• Annual Audits: The institution conducts annual audits of TPSP compliance with security controls, data handling practices, and breach response procedures.
• Vendor Reviews: TPSPs are subject to periodic security reviews, at a minimum yearly, and must provide evidence of compliance, including audit reports and security certifications (e.g., SOC 2 Type II). Breach lists, Defender for Cloud Apps posture checks, and Umbrella posture checks will be used to monitor vendors. 
• Software Inventory: All third-party software is tracked and managed through the Inventory and Control of Software Assets Policy​ .

10. Enforcement and Sanctions Failure of any third-party service provider to comply with this policy may result in contract termination, reporting to regulatory bodies, or other legal actions as deemed necessary by USD or the SDBOR.

This policy provides a cohesive structure for managing third-party cybersecurity risks, aligning with the GLBA Safeguards Rule and leveraging existing internal processes and tools.