Last review date: April 2020, version 1.0.2
The purpose of the Bethel University Vendor Management Policy is to describe the actions and behaviors required to ensure that due care is taken to avoid inappropriate risks to Bethel University, its business partners, and its stakeholders from any of its vendors.
The Bethel University Vendor Management Policy applies to any individuals that interacts with, sets up or manages any Bethel University vendors.
- Vendors granted access to Bethel University Information Resources must sign the Bethel University Vendor Non-Disclosure Agreement/Business Associate Agreement.
- Vendors must be evaluated prior to the start of any service and thereafter on a bi-annual basis.
- A vendor risk assessment must be performed on vendors with access to confidential information and/or critical vendors.
- Vendors with PCI DSS compliance requirements must have their status reviewed on an annual basis.
- Vendor agreements and contracts must specify:
- The Bethel University information to which the vendor should have access to,
- How Bethel University information is to be protected by the vendor,
- How Bethel University information is to be transferred between Bethel University and the vendor,
- Acceptable methods for the return, destruction, or disposal of Bethel University information in the vendor’s possession at the end of the contract,
- Minimum information security requirements,
- Incident response requirements,
- Right for Bethel University to audit vendor.
- If a vendor subcontracts part of the information and communication technology service provided to Bethel University, the vendor is required to ensure appropriate information security practices throughout the supply chain.
- The vendor must only use Bethel University Information Resources for the purpose of the business agreement.
- Work outside of defined parameters in the contract must be approved in writing by the appropriate Bethel University point of contact.
- Vendor performance must be reviewed annually to measure compliance to implemented contracts or SLAs. In the event of non-compliance with contracts or SLAs, regular meetings will be conducted until performance requirements are met.
- Vendor’s major IT work activities must be entered into or captured in a log and available to Bethel University IT management upon request. Logs must include, but are not limited to, events such as personnel changes, password changes, project milestones, deliverables, and arrival and departure times.
- Any other Bethel University information acquired by the vendor in the course of the contract cannot be used for the vendor’s own purposes or divulged to others.
- Vendor personnel must report all security incidents directly to the appropriate Bethel University IT personnel.
- Bethel University IT will provide a technical point of contact for the vendor. The point of contact will work with the vendor to make certain the vendor is in compliance with these policies.
- New vendors must provide Bethel University a list of key personnel working on the contract.
- Vendors must provide Bethel University with notification of key staff changes within 24 hours of change.
- Upon departure of a vendor employee from the contract for any reason, the vendor will ensure that all sensitive information is collected and returned to Bethel University or destroyed within 24 hours.
- Upon termination of contract, vendors must be reminded of confidentiality and non-disclosure requirements.
- Upon termination of contract or at the request of Bethel University, the vendor must surrender all Bethel University badges, access cards, equipment and supplies immediately. Equipment and/or supplies to be retained by the vendor must be documented by authorized Bethel University IT management.
- ISO 27002: 7, 13, 15, 16
- NIST CSF: DE.CM
Waivers from certain policy provisions may be sought following the Bethel University Waiver Process.
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.