IT Third-Party Vendor Management Standard

I. Purpose

This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. Data and the activities that depend on this data are among our most valuable university assets. FSU takes seriously its commitment to respect and protect the privacy of its students, alumni, faculty, and staff, as well as to protect the confidentiality of information important to the university's academic and research mission. The university is committed to the security and privacy of its data and technology assets, whether managed by FSU or through third-party vendor agreements.

This standard defines the requirements and best practices for requesting and managing third-party vendor agreements and engagements to ensure vendor compliance with FSU security and privacy policies and standards as well as applicable privacy laws and contractual obligations. This includes, but is not limited to IT resources and software, cloud or other outsourced services, data protection, and technology assets.

Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the Request for Exception to IT Security Policy.


II. Definitions

Consolidated University Unit (CUU) – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

FERPA – the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that protects the privacy of student education records. Florida Statute 1002.22 requires FSU to protect the disclosure and access to student education records in accordance with FERPA.

GLBA – the Gramm-Leach-Bliley Act requires financial institutions to safeguard sensitive data and explain their information sharing practices to their customers.

HIPAA – the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that provides data privacy and security provisions for safeguarding patient medical information.

PCI DSS – the Payment Card Industry Data Security Standard defines compliance requirements for any company that accepts, stores, processes, or transmits credit card information that protect the privacy and security of consumers.

GDPR – the General Data Protection Regulation is the regulation in European Union (EU) law on data protection and privacy in the EU and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA.

Information Security Incident – a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

Third-Party Vendor/Provider – a company or entity with whom FSU has a written agreement or is seeking an agreement to provide a product or service.

Full IT Glossary


III. Standard

FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines and practices to establish baseline expectations for cybersecurity for all university units.

Consolidated University Units (CUUs) are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Controls supporting this Standard include, but are not limited to:

NIST Cybersecurity Framework and Controls

Function Category Desired Outcome
Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
Supply Chain Risk Management (ID.SC):
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.
ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events

Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
ITS Reviewer
The technology professional(s) designated by the CISO/CIO to review requests and make security and privacy related recommendations for the procurement of technology resources and their compliance with university policies and standards.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
Consolidated University Unit (CUU) Privacy Coordinator
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s privacy program. The CUU Privacy Coordinator is the central point of contact between the University Units and ISPO for privacy issues.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
University Unit Privacy Coordinator
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a University Unit’s compliance with privacy IT policies, standards, and guidelines, in coordination with their designated CUU’s information privacy program.
IT Asset Custodian
An individual with responsibility for the configuration, implementation, management, monitoring, oversight, and day-to-day operations of university IT Assets. IT Assets include but are not limited to enterprise or distributed networks, servers, workstations, IoT devices, applications, databases, operating systems, and firmware.
Application Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for an application system, including appropriate security safeguards.
Data Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting, and use of university data resources, based on the Data Security Standard.

For more information, see IT Roles and Responsibilities.

Third-Party Agreement Requirements

University-approved technology solutions are vetted by established procurement processes including IT compliance and legal reviews. It is recommended that University Units use university-approved technology unless a third-party vendor agreement is necessary to address circumstances where requirements cannot be met with reasonable efforts or would significantly impair the educational, research, business, or service missions of the University.

Requests for exceptions to security policies and standards must be submitted in accordance with the Request for Exception to IT Security Policy. Such requests must be specific and include valid reasons for the added risk to FSU’s security posture.

When a third-party agreement is necessary, the requestor (IT Asset Custodian, Application Custodian or Data Custodian, as applicable) or the University Unit ISM will coordinate with the CUU ISM to request approval on the requestor’s behalf through this process:

  • Identify the business requirements that cannot be met with university-approved technology.
  • Identify alternative solutions to allow the University Unit to accomplish its objective while providing compliance for all applicable security and privacy standards and controls.
  • Obtain written approval for the request from the requestor’s University Unit DDDH and the CUU DDDH.
  • Ensure the request is properly reviewed and approved by all relevant stakeholders (CUU ISM, CUU Privacy Coordinator, ISPO, ITS, Procurement Services, etc.) prior to finalization of procurement. Submit the appropriate checklist for review.
  • For approved requests, work with the Office of Procurement Services and Office of General Counsel to ensure third-party agreements contain terms and conditions beneficial to the university and bind such vendors to them. Vendor agreements must contain terms to stipulate adherence to FSU policy, legislation, or contractual safeguarding provisions when High Risk or Moderate Risk data is processed, transmitted, or stored by a third-party vendor (Security and Privacy Standard Terms and Conditions).
  • Retain authorization and related approval documentation.
  • Communicate intended use of third-party services to appropriate stakeholders.

University Unit Privacy Coordinators are responsible for maintaining a current inventory of third-party vendors who have access to High Risk or Moderate Risk information. The Vendor Inventory shall include vendor information including contact information, authorized access to High Risk or Moderate Risk data, scope of work, security requirements, end of contract/deactivation information, and any other relevant risk related information. The Vendor Inventory shall be made available to the CUU Privacy Coordinator, CUU ISM and ISPO upon request.

Management Of Third-Party Vendors

CUU DDDHs are responsible for ensuring that procedures are in place to manage third-party vendor engagements in compliance with university policies, standards, and procedures, including this standard. For CUU DDDH-approved requests for third-party vendor agreements, contract language must include the following vendor requirements:

  • Vendor agreements must include language whereby the third-party vendor agrees to comply with all agreed upon applicable and appropriate security terms and conditions. All FSU contracts with vendors who are responsible for processing, transferring, or storing Gramm Leach Bliley Act (GLBA)-protected FSU information will be required, under the terms of the contract, to stipulate implemented safeguards that adhere to, and are in compliance with, the provisions of the GLBA.
  • Information must only be used within the scope of the engagement and the directions of FSU, and for no other purpose.
  • Vendor must ensure the safekeeping of public records.
  • Vendor shall implement, maintain, and use appropriate administrative, technical, and physical security measures to preserve the confidentiality (authorized access), integrity and availability of FSU information.
  • Vendor will employ commercial best practices, including appropriate administrative, physical, and technical safeguards, to secure FSU data from unauthorized access, disclosure, alteration, and use.
  • Vendor will use industry standard, up-to-date tools, and technologies such as antivirus protections and intrusion detection methods, and according to the IT Vulnerability Management Standard.
  • Third-party staff with access to IT data and resources, such as staff augmentation resources with a courtesy appointment, must comply with training requirements as defined by the Information Security and Privacy Training Standard.
  • FSU’s email system is the official means of communication for university business. Third-party staff assigned an FSU email address are required to conduct FSU business from their FSU assigned email address containing the domain. Additional requirements for authorization and access are defined in IT Access, Authorization and Authentication Standard.
  • Vendor will comply with data backup and disaster recovery requirements, as defined in the IT Disaster Recovery Planning Standard.
  • Vendor will destroy the retained FSU information upon request unless applicable law requires destruction after the expiration of an applicable retention period. The manner of destruction shall be appropriate to preserve and ensure the confidentiality of FSU information given the level of sensitivity, value, and criticality to the University.
  • Vendors shall only access the systems and information necessary to perform required task(s) and leave their sessions open only during approved time frames.
  • Vendor will comply with additional FSU security and privacy policies and standards requirements related to any access to High Risk or Moderate Risk data.

Third-party vendors, including third-party partners, staff or other associates are accountable for all activities performed by their account. These users must understand and comply with all FSU IT security policies, standards, applicable contractual obligations, guidelines, practices, and procedures. They must also exercise caution to protect and secure FSU data, devices and portable storage media that are used on the FSU network or to store University data.

The requestor’s University Unit DDDH is responsible for ensuring continued compliance with this standard, including vendor access as defined by the Access, Authorization and Authentication Standard to ensure access for these accounts is restricted to defined time periods, and accounts are disabled automatically once they are no longer needed.

Access To High Risk and Moderate Risk Information

Performance of contracted services that require access to High Risk or Moderate Risk information as defined by the Data Security Standard requires additional security and privacy compliance. Examples of High Risk and Moderate Risk information include, but are not limited to, personally identifiable information (PII), student education records, protected health information, payment, and financial information, etc.

The CUU/University Unit DDDH or their designee is responsible for establishing procedures to ensure contracts and agreements involving IT resources, cloud and other outsourced services guarantee compliance with FSU security and privacy policies and standards. Risk management processes should be commensurate with the level of risk and complexity of its third-party relationships. Third-party vendors that have access to FSU Information classified as High Risk or Moderate Risk, or that provide high risk services shall receive the greatest scrutiny prior to formalizing a contractual relationship.

Prior to obtaining access to FSU information, and as requested thereafter, prospective third parties are required to agree to and/or submit a written Security and Privacy Standard Terms and Conditions agreement, in which the rights and duties of FSU, the third-party contractor and any subcontractors engaged by the primary third-party contractor are specified for provisions related to High Risk or Moderate Risk information. Some of these provisions include:

  • Contractor must protect the privacy and security of university data in full compliance with all applicable laws, regulations, rules, or standards, including, but without limitation, GDPR, FERPA, HIPAA, GLBA, the Federal Trade Commission Red Flags Rule, EAR, ITAR, the Social Security Act, and the PCI DSS.
  • Contractor shall ensure that such security and privacy measures are regularly reviewed and revised to address evolving threats and vulnerabilities.
  • Contractor will ensure that information is properly encrypted, as defined in the Encryption Standard.
  • Individuals not employed by FSU who are authorized to view High Risk or Moderate Risk information must comply with security and privacy requirements covered by third-party contracts and agreements. Additional requirements for authorization and access to High Risk or Moderate Risk data are defined by the IT Access, Authorization and Authentication Standard, the Information Privacy Standard and other FSU Security and Privacy policies and standards.
  • When a third party performs disposal or sanitization of data on behalf of the University, a contract reviewed by ITS must be in place assigning data handling responsibilities appropriate for the data classification level of data being managed for destruction, as defined by the Data Disposal and Media Sanitization Standard.
  • All applications, databases, and application programming interfaces (APIs) that maintain, process, transmit, or store High Risk or Moderate Risk university information must comply with the IT Application Secure Coding Standard and the IT Enterprise Application Integration Standard.
  • High Risk or Moderate Risk FSU data must not be stored on personal devices or non-approved third-party information systems.

Prior to performing services which require access to, transmission of, and/or storage of the university's moderate or high-risk data, the vendor shall provide a third-party certification verifying its ability to comply with university guidelines. If a third-party certification is not readily available, the vendor must complete FSU’s Third-Party Risk Self-Assessment. The vendor will not copy, cause to be copied, use, or disclose data received from or on behalf of the university except as permitted or required by the agreement, as required by law, or as otherwise authorized by the university.

In addition to sharing data, FSU receives confidential data from Federal, State, private or other sources. Custodians of data entrusted to FSU from other sources are bound by the same security and privacy compliance requirements provided by FSU policies and standards to safeguard data and IT assets.

Incident Reporting

Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the IT Incident Response Standard for more information.

IV. References

Back to Top | Back to Standards