1.0 Purpose
Lehigh relies on vendors in many capacities across the University. Vendors may have access to private and sensitive information and critical systems to help the university operate. They must protect the confidentiality, integrity, and availability of Lehigh University data and systems. Vendors will have the least amount of information and access they need to perform their duties. The information security controls they use should be appropriate to the sensitivity of the information they possess and compliant with the University’s Information Security Policy. Enforcement of this policy reduces third-party risk to the University.
2.0 Scope
This Policy applies to all vendors, contractors, consultants, and other third-party providers who support the University.
3.0 Roles and Responsibilities
The following defines the roles and responsibilities involved in reducing information security risk for vendors:
- Senior University Official
Lehigh agent accountable for a particular vendor and ensuring the vendor satisfies all agreements, including proper handling of information and systems. Authority over vendor actions. - Chief Information Security Officer (CISO)
Responsible for compliance with Information Security Program. Ensures completion of risk assessments and Senior University Official is aware of risks and compliance status of the vendors they oversee. - Chief Technology Officer (CTO)
Responsible for identifying technology systems (and the associated vendors) which are critical to the operation of the University so they will have the appropriate risk assessments performed. CTO may make recommendations to the Senior University Official based on the results of assessments. - Information Security Office
Perform risk assessments on vendors deliver report to CISO. - Purchasing Services
Ensures compliance with purchasing procedures during the acquisition of new services. - Office of General Counsel
Provide legal advice and analysis regarding vendor contracts, including drafting, reviewing and negotiating contract terms that support the University's privacy and information security programs, as well as business needs. - Data Steward
Designated senior University officials who have planning and policy-level responsibilities for data in their functional areas. Data stewards may revoke access to data to vendors to protect the data. They may or may not be the same individual as the Senior University Official overseeing the vendor.
4.0 Vendor Assessment
There should be a risk assessment performed for all vendors supporting the University with access to data. Assessments should be done during contract initiation, contract renewal, contract termination and before data at a higher level of sensitivity is provided to a vendor. Assessments will be risk-based with required security controls commensurate to the sensitivity of information and systems they use. Our data classification is managed through our Data Governance and Standards Committee.
The following individuals and offices are responsible for assessments:
- The Senior University official is responsible for ensuring the assessments are completed.
- The Information Security Office will perform the assessment.
- The CISO is responsible for the rigor of the assessment.
- The Data Steward authorizes the use of the data.
- Contract Initiation
Vendors need to be appropriately vetted before being given access to Lehigh data & systems. - Contract Renewal
Vendors should be reassessed upon contract renewal. - Contract Termination
Vendors' access to systems and data needs to be removed upon contract termination. - Sensitive Data Required
i. New Requirement to Access Sensitive Data
When vendors require access to data of a more sensitive classification an assessment should be performed and permission from the Data Steward will be granted before access to data and systems is provided.
ii. Annual Review of Vendors with Access to Sensitive Data
Vendors with access to Class I - Critical Information need to be re-assessed annually. Documentation will be retained within the Information Security Office.
- Critical System
i. Newly Identified as a Critical System
When the CTO designates a system and associated vendor as critical, an assessment should be performed. The CTO will review and report any concerns to the Senior University Official.
ii. Annual Review of Critical Technology Vendor
Vendors with access to systems deemed critical to Lehigh University operations need to be reassessed annually and a summary of risk changes will be provided to the CTO. Documentation will be retained within the Information Security Office.
5.0 Review
This policy should be reviewed annually by the CISO and modified if necessary.
6.0 Compliance and Enforcement
This policy will be enforced by the Senior University Official who is responsible for the vendor relationship. Vendors who are determined to be too risky may have system or data access removed. The Senior University Official should consult with the data steward, legal, LTS, and other offices prior to taking action.
7.0 Referenced Documents
APPENDIX A: VENDOR COMPLIANCE LIFECYCLE
8.0 Additional Contacts:
| Subject | Contact | Phone | |
|---|---|---|---|
| Information Security | security@lehigh.edu |
9.0 Revision History
| Date | Version | Description | Approval |
|---|---|---|---|
| 9/11/19 | 1.0 | Original Document | CGRC Committee |
| 10/15/19 | 1.0 | Original Document | ACIS Committee |
| 1/28/20 | 1.0 | Posted to Campus for comment | |
| 3/15/20 | 1.0 | Approved | ACIS Committee |
| 5/11/21 | 1.0 | Policy Review | CISO |
| 8/23/22 | 2.0 | Draft Changes based on Spring 22 Internal Audit recommendations to add Critical Systems to the process - Minor revisions | CISO |
| 9/20/22 | 2.0 | ACIS Approved Changes | ACIS Committee |