Vendor Risk Management
Information Security Procedure

Post

Information Security Procedures (ISPR) provide formal methods for which Information Security Regulations, Standards, and Best Practices are conducted.

This ISPR directly supports the Vulnerability Management Information Security Standard.

This standard is divided into the following sections:

Vendors and Security Risk

Long Beach City College relies upon a variety of third-party applications, hardware, services, and vendors (third-party systems) to support many of its core business functions. These systems often have direct access to institutional data, networks, and other information systems, thereby presenting an inherent risk to the District. The inclusion and consideration of information security controls is, therefore, an integral part of purchasing and maintaining new and existing third-party systems.

Federal and State Compliance

California community colleges are subject to several federal and state information-security mandates. One such requirement of the Gramm-Leach-Bliley Act (GLBA) is to comply with the FTC Safeguards Rule (16 CFR §314.4[d]), which states that institutions shall:

Oversee service providers, by:

  1. Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
  2. Requiring your service providers by contract to implement and maintain such safeguards.

In a nutshell, this means that when departments procure, purchase, or otherwise adopt a technology, they must have:

  1. A maintenance plan with the vendor to ensure that crucial software updates are available and are applied in a reasonable timeframe, and
  2. A replacement plan is in place before that technology (or any associated technologies) reaches end-of-life.

In support of this mandate, Project Owners (the individuals or business units endorsing a project) shall be responsible for gathering information for both the Acquisition Planning and Vendor Security Assessment phases of the process before any third-party system is procured, purchased, or otherwise adopted.

Vendor Risk Management Process

The Vendor Risk Management Process is one of three processes required of the ITS ICT Request Procedure.

Acquisition Planning

During the planning phase, the Project Owner shall address several security-related considerations as part of the ITS ICT Request Procedure before completing a PeopleSoft Requisition. For example:

  1. Does the system integrate with the District’s centrally managed authentication services?
  2. Does the system support two-factor authentication?
  3. Have you identified and classified the information to be provided, accessed, transmitted, or stored to determine appropriate data protection and handling?
  4. Have you confirmed that the vendor or external party will not store or transmit protected data (identified above) outside of the U.S.?
  5. If the application or system involves credit/debit card payment transactions, have you contacted the Contracts and Purchasing Department regarding payment card compliance?

If a vendor cannot meet minimum information technology or security standards and compensating controls cannot be provided to address critical gaps, the Project Owner shall be required to find an alternative solution.

Failure to complete the ITS ICT Request Procedure may adversely slow the purchasing process as these considerations must be addressed before a PeopleSoft Requisition can be completed.

When you are ready to complete this part of the process, please download and complete the ITS Acquisition Planning Form, and return it to your Technical Liaison.

Vendor Security Assessments

Security assessments are a crucial part of managing and understanding risks associated with third-party systems. Vendors must be able to show that they have the proper administrative, physical, and technological safeguards in place to ensure the confidentiality, integrity, and availability of institutional data and related systems.

Project Owners shall be responsible for providing the vendor with a Higher Education Community Assessment Toolkit (HECVAT). Although originally created for cloud applications, the HECVAT has been widely adopted by higher education to assess any service that interfaces with institutional data, information systems, and/ or infrastructure.

The completed HECVAT shall be attached to the requisition and approved by the ITS ICT Approver before a Purchase Order is created. The assessment will be reviewed to ensure that:

  1. The vendor or system meets District standards and
  2. If any gaps are identified, necessary compensating controls are negotiated for and agreed upon.

If a vendor cannot meet minimum information technology or security standards and compensating controls cannot be provided to address critical gaps, the Project Owner shall be required to find an alternative solution.

Existing vendors shall be required to submit an updated security assessment:

  • Once every two years.
  • Before renewal, if gaps were identified in the prior contract.

Information and Communication Technology Approval

Requests for ICT shall only be approved after the Project Owner has completed:

  1. A Technical Assessment to evaluate the technology itself,
  2. An Accessibility Assessment to meet accessibility requirements, and
  3. The Vendor Risk Assessment described in this document.