Vendor Risk Management
Information Security Standard

Post

Information Security Standards (ISS) are developed to support and enforce both District Administrative Regulations and the California Community College Information Security Standard.

Vendor Risk Management

Long Beach City College relies upon a variety of third-party applications, hardware, services, and vendors (third-party systems) to support many of its core business functions. These systems often have direct access to institutional data, networks, and other information systems, thereby presenting an inherent risk to the District. The inclusion and consideration of information security controls is, therefore, an integral part of purchasing and maintaining new and existing third-party systems.

Federal and State Compliance

California community colleges are subject to many federal and state information security requirements. One such requirement within the Gramm-Leach-Bliley Act (GLBA), under the Safeguards Rule (16 CFR §314.4[d]), is that institutions shall:

Oversee service providers, by:

  1. Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
  2. Requiring your service providers by contract to implement and maintain such safeguards.

In support of this mandate, project owners (the individuals or business units requesting a project) shall be responsible for gathering information for both the Acquisition Planning and Vendor Security Assessment phases of the process before any third-party system is purchased, subscribed to, or otherwise contracted with.

Acquisition Planning

During the planning phase, the project owner shall address the following security-related considerations as part of a completed IITS Project Request before completing a PeopleSoft Requisition.

  1. Does the system integrate with the District’s centrally managed authentication services?
  2. Does the system support two-factor authentication?
  3. Have you identified and classified the information to be provided, accessed, transmitted, or stored to determine appropriate data protection and handling?
  4. Have you confirmed that the vendor or external party will not store or transmit protected data (identified above) outside of the U.S.?
  5. If the application or system involves credit/debit card payment transactions, have you contacted the Contracts and Purchasing Department regarding payment card compliance?

In the event that a vendor cannot meet minimum information technology or security standards and a compensating control cannot be provided to address critical gaps, the project owner shall be required to find an alternative solution.

Failure to complete an IITS Project Request may adversely slow the purchasing process as these considerations must be addressed before a PeopleSoft Requisition can be completed.

When you are ready to complete this part of the process, please download and complete the IITS Acquisition Planning Form, and return it to the IITS representative assisting you.

Vendor Security Assessments

Security assessments are a crucial part of managing and understanding risks associated with third-party systems. Vendors must be able to show that they have the proper administrative, physical, and technological safeguards in place to ensure the confidentiality, integrity, and availability of institutional data and related systems.

Project owners shall be responsible for providing the vendor with a Higher Education Community Assessment Toolkit (HECVAT). Although originally created for cloud applications, the HECVAT has been widely adopted by higher education to assess any service that interfaces with institutional data, information systems, and/ or infrastructure. 

The completed HECVAT shall be attached to the PeopleSoft Requisition and approved by IITS before a Purchase Order is completed.  The assessment will be reviewed to insure that:

  1. The vendor or system meets District standards and
  2. In the event that any gaps are identified, necessary compensating controls are negotiated for and agreed upon. 

In the event that a vendor cannot meet minimum information technology or security standards and a compensating control cannot be provided to address critical gaps, the project owner shall be required to find an alternative solution.

Existing vendors shall be required to submit an updated security assessment: 

  • Once every two years.
  • Before renewal if gaps were identified in the prior contract.

Where to Start

Requests for office and lab-based software shall be initiated through the Office of Computing and User Support Services

Requests for administrative, institutional, and enterprise-wide software shall be initiated through the Office of Application Support and Development