STANDARD FOR VENDOR ACCESS
The University of Texas at San Antonio
Office of Information Technology
Office of Information Security (OIS) Standards
OIS 36 – Standard for Vendor and Third Party Controls and Compliance
I. STANDARD STATEMENT
This standard applies to all persons or companies with whom UTSA enters into contracts to provide services involving Information Resources and to those in the UTSA organization who sponsor a vendor or consultant.
This standard supports HOP Policy 8-12 Information Resources Use and Security Policy.
This standard applies to all UTSA faculty, staff, and students.
If you have any questions about OIS 36 – Standard for Vendor and Third Party Controls and Compliance contact the following office:
The Office of Information Security
- The University of Texas at San Antonio (UTSA) recognizes that Vendors and other contractors serve an important function in the development and/or support of services, hardware, and software and, in some cases, the operation of computer networks, Servers, and/or applications. This standard applies to contracts entered into by UTSA that involves third-party access to or creation of Information Resources or University Data by a third-party.
a. Contracts. Contracts of any kind, including purchase orders, memoranda of understanding (MOU), letters of agreement, or any other type of legally binding agreement, that involve current or future third-party access to or creation of Information Resources and/or Data must include terms determined by the Office of General Counsel as sufficient to ensure that Vendors and any subcontractors or other third-parties that maintain, create, or access University Data as the result of the contract comply with all applicable Federal and State security and privacy laws, this standard, UTS 165, and any applicable U.T. System and University Policy or Standard. Contracts must contain terms that ensure that all University Data affected by the contract is maintained in accordance with those standards at all times, including post-termination of the contract.
i. The Data Owner, UTSA procurement officers and staff, and the ISO are jointly and separately responsible for ensuring that all contracts are reviewed to determine whether the contract involves third-party access to, outsourcing, maintenance, or creation of University Data; and that all such access, outsourcing, or maintenance fully complies with this standard at all times.
ii. Any contract involving third-party access to, creation, or maintenance of Protected Health Information (PHI) as defined in 45 C.F.R. § 164.501
, must include a Health Insurance Portability and Accountability Act (HIPAA) business associate agreement in a form approved by UTSA Office of Legal Affairs.
iii. Any contract involving third-party-provided credit card services must require that the Contractor provides assurances that all subcontractors who provide credit card services pursuant to the contract will comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) in the provision of the services.
b. Vendor or other Third-Party Assessment. Prior to access, maintenance, or creation of University Data by a Vendor or any other third-party, UTSA must ensure that an assessment is or has been performed that is designed to ensure that:
i. The Vendor has sufficient technological, administrative, and physical safeguards to ensure the confidentiality, security, and Integrity of the Data at rest and during any transmission or transfer; and
ii. any subcontractor or other third-party that will access, maintain, or create Data pursuant to the contract will also ensure the confidentiality, security, and Integrity of such Data while it is at rest and during any transmission or transfer
iii. As part of UTSA’s assessment of a Vendor or other third-party, the university will request copies of any self-assessments or third-party assessments that the Vendor or third-party has access to.
c. Access Control Measures. The university must control vendor and other third-party access to its data based on data sensitivity and risk. Controls must incorporate the following:
i. Vendor must represent, warrant, and certify it will:
- hold all confidential data in the strictest confidence;
- not release any confidential data unless the vendor obtains UTSA’s prior written approval and performs such a release in full compliance with all applicable privacy laws, including the Family Educational Rights and Privacy Act (FERPA);
- not otherwise use or disclose confidential data except as required or permitted by law;
- safeguard data according to all commercially reasonable administrative, physical, and technical Standards (e.g., such Standards established by the National Institute of Standards and Technology - NIST or the Center for Internet Security);
- continually monitor its operations and take any action necessary to assure the data is safeguarded in accordance with the terms of this standard, UTS165; and
- comply with the vendor access requirements that are set forth in this standard.
d. Breach Notification. Institutions shall require the following from the Vendor.
i. If an unauthorized use or disclosure of any confidential data occurs, the vendor must provide:
- written notice within one business day, or if the Data Owner, UTSA procurement officers, and the ISO are satisfied that a longer period is acceptable, within that period, after vendor’s or third-party’s discovery of such use or disclosure; and
- all Information UTSA requests concerning such unauthorized use or disclosure.
e. Return of Data. Within 30 days after the termination or expiration of a purchase order, contract, or agreement for any reason, the vendor must either:
i. return or securely destroy, as specified by contract or agreement, all data provided to the vendor by the university including all confidential data provided to the vendor’s employees, subcontractors, agents, or other affiliated persons or Institutions; or
ii. in the event that returning or securely destroying the data is infeasible, provide notification of the conditions that make return or destruction infeasible, in which case the vendor or third-party must:
- continue to protect all data that it retains;
- agree to limit further uses and disclosures of such data to those purposes that make the return or destruction infeasible for as long as vendor or other third-party maintains such data; and
- to the extent possible, de-identify such data.
Effective Date: August 1, 2011
Last Revised: June 6, 2017