Policies and Procedures Manual 2025-2026

Contents
Catalog Links
Share

3.2.7 IT Vendor Management

Purpose

 

The purpose of the IT Vendor Management Policy is to establish rules for IT vendor access to University Information Resources and support services, IT vendor responsibilities, and protection of university information. To the extent these policy conflicts with existing University policy, the existing policy is superseded by this standard.

Introduction

 

IT vendors play an important role in the support of hardware and software management, and operations for customers. IT vendors can remotely view, copy and modify data and audit logs, correct software and operating systems problems, monitor and fine tune system performance, monitor hardware performance and errors, modify environmental systems, and reset alarm thresholds. Setting limits and controls on what can be seen, copied, modified, and controlled by IT vendors will eliminate or reduce the risk of loss of revenue, liability, loss of trust, and embarrassment to the University.

 

Scope

The IT Vendor Management Policy applies to all individuals who are responsible for

 

the installation of new information resources assets, and the operations and maintenance of existing Information Resources, and who do or may allow IT vendor access for maintenance, monitoring and troubleshooting purposes.

 

 

Standard Provisions

  1. IT vendors must comply with all applicable University policies, standards and agreements, including, but not limited to:
    1. Safety policies;
    2. Privacy policies;
    3. Security policies and standards;
    4. Auditing policies;
    5. Software licensing policies, and;
    6. Acceptable and Appropriate Use policies.

     

    The University will provide an Information Technology point of contact for the IT vendor. The point of contact will work with the IT vendor to make certain the IT vendor is in compliance with these policies.

     

  2. IT vendor agreements and contracts must specify:
    1. University information to which the IT vendor may have access.
    2. How University information is to be protected by the IT vendor.
    3. Acceptable methods for the return, destruction or disposal of University information in the IT vendor's possession at the end of the contract.
    4. That the IT vendor must only use University information and information resources for the purpose of the business agreement.
    5. That any other University information acquired by the IT vendor in the course of the contract cannot be used for the IT vendor's own purposes or divulged to others.
    6. If IT vendor management is involved in University security incident management, the responsibilities and details must be specified in the contract.
    7. Regular work hours and duties will be defined in the contract. Work outside of defined parameters must be approved in writing by appropriate University management.

  3.  Other requirements: 
    1.  Each IT vendor must provide the University with a list of all employees working on the contract. The list must be updated and provided to the University within twenty-four (24) hours of staff changes.
    2. Each on-site IT vendor employee must wear an identification badge that will be displayed at all times while on university premises. If it is a university identification card, it must be returned to the University when the employee leaves the contract or at the end of the contract.
    3. Each IT vendor employee with access to university sensitive information must be clear to handle that information.
    4. IT vendor personnel must report all security incidents directly to the appropriate University personnel.
    5. IT vendors must follow all applicable University change control processes and procedures.
    6. IT vendor access must be uniquely identifiable and password management must comply with University Password Standards.
    7. Upon departure of an IT vendor employee from the contract for any reason, the IT vendor will ensure that all sensitive information is collected and returned to the University or destroyed within twenty- four (24) hours.
  1. Upon termination of contract or at the request of the University, the IT vendor will return or destroy all University information within twenty-four (24) hours.
  2. Upon termination of contract or at the request of the University, the IT vendor must surrender all University Identification badges, access cards, equipment and supplies immediately. Equipment and/or supplies to be retained by the IT vendor must be documented by authorized University management. IT vendor-owner systems with university data must have the data destroyed.
  3. IT vendors are required to comply with all State and University auditing requirements, including the auditing of the IT vendor's work.
  4. All software used by the IT vendor in providing services to the University must be properly inventoried and licensed.


 

IT Vendor Management Policy

 

  1. Annual Review:
    1. Each IT vendor must provide the University with a list of all employees working on the contract, if applicable.
    2. Each IT vendor must submit a SOC2 report to the CIO annually.

Appendix A Revision Table

 

Document Owner: LaMica Justice, Chief Information Officer

Document History

Rev #

Name

Date

Description

Signature

1.0

LaMica Justice

7/10/2025

Initial draft

Electronically signed

1.1

 

 

Initial release

 

 

 

 

Up one level