File code: TECH.VENDOR.POL
Approval Date: 05/31/11
Approved By: President
Vendor Management Policy
University units using 3rd party vendors for information system services or custom software development must ensure that proper controls are in place to satisfy the Universities “due diligence” requirements including but not limited to the following:
- Information security contract language must be added to all contracts that provide access to University systems, data, sensitive areas (such as data centers, wiring closets, etc.) or provide custom development on behalf of the University. This is coordinated through the Office of the Vice President for Administrative Services.
- It is recommended that a Non-Disclosure Agreements (NDA) be on file at the business office for each vendor that handles University proprietary or sensitive data on behalf of the University.
- Custom software development by third parties of critical systems or systems collecting, transmitting or storing sensitive data must comply with Secure Application Development guidelines as defined in the Administrative Procedure.