IITS Standard: Vendor Risk Management

Post

Information Security Standards are developed to support and enforce the California Community College Information Security Standard and all applicable District Administrative Regulations.

Vendor Risk Management

Long Beach City College relies upon a variety of third-party applications, hardware, services, and vendors (third-party systems) to support many of its core business functions. These systems often have direct access to institutional data, networks, and other information systems, thereby presenting an inherent risk to the District. The inclusion and consideration of information security controls is, therefore, an integral part of purchasing and maintaining new and existing third-party systems.

Federal and State Compliance

California community colleges are subject to many federal and state information security requirements. One such requirement within the Gramm-Leach-Bliley Act (GLBA), under the Safeguards Rule (16 CFR §314.4[d]), is that institutions shall:

Oversee service providers, by:

  1. Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
  2. Requiring your service providers by contract to implement and maintain such safeguards.

In support of this mandate, project owners (the individuals or business units requesting a project) shall be responsible for both acquisition planning and a completed vendor security assessment before any third-party system is purchased, subscribed to, or otherwise contracted with.

Acquisition Planning

During the planning phase, the project owner shall address the following security-related considerations as part of a completed IITS Project Request before completing a PeopleSoft Requisition.

  1. Does the system integrate with the District’s centrally managed authentication services?
  2. Does the system support two-factor authentication?
  3. Have you identified and classified the information to be provided, accessed, transmitted, or stored to determine appropriate data protection and handling?
  4. Have you confirmed that the vendor or external party will not store or transmit protected data (identified above) outside of the U.S.?
  5. If the application or system involves credit/debit card payment transactions, have you contacted the Contracts and Purchasing Department regarding payment card compliance?
  6. In the event that (a) the vendor cannot meet minimum information technology or security standards and (b) a compensating control cannot be provided to address critical gaps, the project owner shall be required to find an alternative solution.

Failure to complete an IITS Project Request may adversely slow the purchasing process as these considerations must be addressed before a PeopleSoft Requisition can be completed.

Vendor Security Assessments

Security assessments are a crucial part of managing and understanding risks associated with third-party systems. Vendors must be able to show that they have the proper administrative, physical, and technological safeguards in place to ensure the confidentiality, integrity, and availability of institutional data and related systems.

Project owners shall be responsible for providing the vendor with a Higher Education Community Assessment Toolkit (HECVAT). Although originally created for cloud applications, the HECVAT has been widely adopted by higher education to assess any service that interfaces with institutional data, information systems, and/ or infrastructure. 

The completed HECVAT shall be attached to the PeopleSoft Requisition and signed off by IITS before a Purchase Order is approved. The assessment will be analyzed to insure that (1) the vendor or system meets District standards and (2) in the event that any gaps are identified, necessary compensating controls are negotiated and agreed upon.&;

Existing vendors shall be required to submit a new security assessment under the following circumstances:

  • Once every two years.
  • Before renewal if gaps were identified in the prior contract. 

Desktop software for offices and labs do not require a HECVAT but must be approved by the Office of Computing and User Support Services.