Library & Technology Services

Vendor Compliance Policy

You are here

  1. Home
    2. »
  2. Vendor Compliance Policy


1.0 Purpose

Lehigh relies on vendors in many capacities across the University. Vendors may have access to private and sensitive information and systems to provide goods and services. They must protect the confidentiality, integrity, and availability of Lehigh University data and systems. Vendors will have the least amount of information and access they need to perform their duties. The information security controls they use should be appropriate to the sensitivity of the information they possess and compliant with the University’s Information Security Policy. Enforcement of this policy reduces third-party risk to the University.


2.0 Scope

This Policy applies to all vendors, contractors, consultants, and other third-party providers who support the University.


3.0 Roles and Responsibilities

The following defines the roles and responsibilities involved in reducing information security risk for vendors:

  • Senior University Official
    Lehigh agent accountable for a particular vendor and ensuring the vendor satisfies all agreements, including proper handling of information and systems. Authority over vendor actions.
  • Chief Information Security Officer (CISO)
    Responsible for compliance with Information Security Program. Ensures completion of risk assessments and Senior University Official is aware of risks and compliance status of the vendors they oversee.
  • Information Security Office
    Perform risk assessments on vendors deliver report to CISO.
  • Purchasing Services
    Ensures compliance with purchasing procedures during the acquisition of new services.
  • Office of General Counsel
    Provide legal advice and analysis regarding vendor contracts, including drafting, reviewing and negotiating contract terms that support the University's privacy and information security programs, as well as business needs.
  • Data Steward
    Designated senior University officials who have planning and policy-level responsibilities for data in their functional areas. Data stewards may revoke access to data to vendors to protect the data. They may or may not be the same individual as the Senior University Official overseeing the vendor.


4.0 Vendor Assessment

There should be a risk assessment performed for all vendors supporting the University with access to data. Assessments should be done during contract initiation, contract renewal, contract termination and before data at a higher level of sensitivity is provided to a vendor. Assessments will be risk-based with required security controls commensurate to the sensitivity of information and systems they use. Our data classification is managed through our Data Governance and Standards Committee.

The following individuals and offices are responsible for assessments:

  • The Senior University official is responsible for ensuring the assessments are completed.
  • The Information Security Office will perform the assessment.
  • The CISO is responsible for the rigor of the assessment.
  • The Data Steward authorizes the use of the data.
  • Contract Initiation
    Vendors need to be appropriately vetted before being given access to Lehigh data & systems.
  • Contract Renewal
    Vendors should be reassessed upon contract renewal.
  • Contract Termination
    Vendors' access to systems and data needs to be removed upon contract termination.
  • Sensitive Data Required

 i. New Requirement to Access Sensitive Data

When vendors require access to data of a more sensitive classification an assessment should be performed and permission from the Data Steward will be granted before access to data and systems is provided.

ii. Annual Review of Vendors with Access to Sensitive Data

Vendors with access to Class I - Critical Information need to be re-assessed annually. Documentation will be retained within the Information Security Office.

5.0 Review

This policy should be reviewed annually and modified if necessary.

6.0 Compliance and Enforcement

This policy will be enforced by the Senior University Official who is responsible for the vendor relationship. Vendors who are determined to be too risky may have system or data access removed. The Senior University Official should consult with the data steward, legal, LTS, and other offices prior to taking action.

7.0 Referenced Documents

Classification of Data

APPENDIX A: VENDOR COMPLIANCE LIFECYCLE

Vendor Compliance Lifecycle.png

8.0 Additional Contacts:

Subject Contact Phone Email
Information Security     security@lehigh.edu

Responsible University Official: Eric Zematis, CISO
Responsible University Office: Lehigh Library and Technology Services (LTS), 610-758-3994
Effective Date: 01/--/2020
Revision Number: 1

Services: 
Library & Computing Policies
Audience: 
Faculty
Staff
Students

For additional help, please contact the LTS Help Desk at 610-758-4357 or helpdesk@lehigh.edu