Body
Issue/Question
What is the USD security policy on Service Provider Management
Environment
Cause
Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity
Resolution
Service Provider Management
Policy Statement: The University recognizes the importance of effectively managing third-party service providers to ensure the security and privacy of University data and resources. This policy outlines guidelines for the selection, oversight, and monitoring of service providers to mitigate risks associated with outsourcing of University functions and services.
Policy Implementation:
-
Vendor Risk Assessment:
- The University will conduct thorough risk assessments of prospective service providers before engaging in contractual agreements.
- Risk assessments will evaluate the service provider's security practices, data protection measures, compliance with relevant regulations, and overall reliability.
- Vendors will be inventoried and classified
- Cloud based applications are considered service providers by USD. This includes 3rd party enterprise applications in Entra ID.
-
Contractual Requirements:
- Contracts and service level agreements (SLAs) with service providers will include provisions related to cybersecurity, data protection, confidentiality, and compliance with University policies and standards.
- Contractual terms will specify security requirements, incident response protocols, breach notification procedures, and access controls governing the handling of University data.
-
Security and Privacy Audits:
- The University reserves the right to conduct security and privacy audits of service providers to verify compliance with contractual obligations and regulatory requirements.
- Audits may include on-site inspections, review of security controls, assessment of data handling practices, and validation of compliance certifications.
-
Ongoing Monitoring and Oversight:
- Continuous monitoring and oversight of service providers will be conducted to ensure adherence to contractual agreements and security standards.
- Regular performance reviews, security assessments, and incident response drills will be conducted to assess the effectiveness of service provider controls and responsiveness to security incidents.
-
Exit Strategy and Contingency Planning:
- The University will develop exit strategies and contingency plans to mitigate risks associated with the termination or transition of services provided by third-party vendors.
- Contingency plans will include procedures for data retrieval, transition of services to alternate providers, and termination of access rights upon contract expiration or termination.
Compliance and Enforcement: Non-compliance with this policy may result in termination of contractual agreements, loss of access privileges, fines, or legal action. All University departments and personnel responsible for engaging with service providers are accountable for adherence to this policy and actively participating in service provider management activities.
Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of service provider management practices.
This policy provides a comprehensive framework for implementing CIS Control 15 within the University environment. It provides guidelines for effectively managing third-party service providers within the University environment, focusing on mitigating risks associated with outsourcing of University functions and services through thorough risk assessments, contractual requirements, ongoing monitoring, and contingency planning.
Please contact the Service Desk if you need further assistance