Purpose - The UTSA Vendor Access Standard establishes the rules for vendor access to UTSA information resources (IR) and support services, vendor responsibilities and protection of UTSA information.

Audience - The UTSA Vendor Access Standard applies to all individuals who are responsible for the installation of new information resources assets and the operations and maintenance of existing information resources.

1. Vendors must comply with all applicable UTSA policies, practice standards and agreements, including, but not limited to:

   1. Safety

   2. Privacy

   3. Security

   4. Auditing

   5. Software Licensing

   6. Acceptable Use

2. Vendor agreements and contracts must specify:

   1. What UTSA information the vendor should have access to

   2. How UTSA information is to be protected by the vendor

   3. The acceptable methods for the return, destruction or disposal of UTSA information in the vendor’s possession at the end of the contract

   4. That the vendor must only use UTSA information and information resources for the purpose of the business agreement

   5. That any other UTSA information acquired by the vendor in the course of the contract cannot be used for the vendor’s own purposes or divulged to others. Vendors must sign a non-disclosure agreement that protects such information.

3. Each vendor must provide UTSA with a list of all employees working on the contract. The list must be updated and provided to UTSA within 24 hours of staff changes.

4. Each on-site vendor employee must acquire a UTSA identification badge that will be displayed at all times while on UTSA premises.  The badge must be returned to UTSA when the employee leaves the contract or at the end of the contract.

5. Each vendor employee with access to UTSA confidential/sensitive information must be approved to access that information in accordance with the applicable IR Security Management Standards.

6. Vendor personnel must report all security incidents directly to the UTSA Computer Incident Response Team at (210) 458-7216.

7. If vendor management is involved in UTSA security incident management, the responsibilities and details must be specified in the contract.

8. Vendors must follow all applicable UTSA change control processes and procedures.

9. Regular work hours and duties will be defined in the contract. Work outside of defined parameters must be approved in writing by appropriate UTSA management.

10. All vendor maintenance equipment on the UTSA network that connects to the outside world -- via the network, telephone line, or leased line -- and all UTSA IR vendor accounts will remain disabled except when in use for authorized maintenance.

11. Vendor access must be uniquely identifiable and password management must comply with the UTSA Password Standard and Administrative Special Access Standard.  Vendor’s major work activities must be entered into a log which will be made available to UTSA management upon request. Logs must include, but are not limited to, such events as personnel changes, password changes, project milestones, deliverables and arrival and departure times.

12. Upon departure of a vendor employee from the contract for any reason, the vendor will ensure that all sensitive information is collected and returned to UTSA or destroyed within 24 hours.

13. Upon termination of contract or at the request of UTSA, the vendor must surrender all UTSA identification badges, access cards, equipment and supplies immediately.  Equipment and/or supplies to be retained by the vendor must be approved and documented by authorized UTSA management.

14. Vendors are required to comply with all state and UTSA auditing requirements, including the auditing of the vendor’s work.

15. All software used by the vendor in providing service to UTSA must be properly inventoried and licensed.