(1) Before procuring or implementing any third-party Information Technology (IT) services, a formal information classification and risk assessment must be undertaken by Technology Services. The risk assessment must be approved by the Director, Cyber Security, or Vice President (Operations) where there is high to significant risk. Third-party services not meeting minimum standards or lacking approval may be removed or isolated from the University’s IT environment. (2) Third-party IT services refer to IT services where the application and/or data reside on hardware not owned by the University. There are three main types of third-party IT services: hosting, software as a service (SaaS), and third-party computing. (3) Non-SCU entities that operate IT resources or handle institutional information are considered third-parties for the purposes of this policy. (4) Before procuring or implementing a third-party IT service, the Technology Services Cyber Resilience Team must conduct a detailed risk assessment. This assessment should identify risks associated with the implementation of the service, and an evaluation of these risks, along with appropriate management actions and mitigations, must be included in any business case. (5) Throughout the lifespan of the third-party IT service, risks related to its ongoing use must be incorporated into the risk management plans of Technology Services and the business owners for periodic review. These plans should include specific risks related to upgrades, additions, and new versions of the system (whether initiated by the University or the vendor), as well as monitoring assurance reports provided by vendors.Information Technology - Third Party - Security Policy
Section 1 - Purpose and Scope
Purpose
Scope
Section 2 - Policy
Risk Assessment
View Current
This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.