Information Technology Vendor Management Standard


University of North Carolina at Chapel Hill Standard on Information Technology Vendor Management



To provide guidance for individuals and units on responsibilities for managing suppliers of Information Technology (IT) services, software, and systems. To manage risk to university information and other assets by creating clearer communication and understanding between vendors and University staff. To define required security controls monitoring activities.

Scope of Applicability

All individual University Constituents and business/academic units involved in purchasing of IT services, software, and systems.


In accord with the University of North Carolina at Chapel Hill Policy on Responsibility for University-Purchased Goods, Services, and Equipment, this Standard addresses specific minimum requirements for the management of suppliers of IT services, systems, and software. This Standard provides minimum requirements for units to maintain vendor compliance with the University IT security program.

Individuals involved in obtaining IT services, software, and systems from outside suppliers are responsible for ensuring that suppliers are held to the terms of their agreement, provide all required deliverables, and adhere to the applicable requirements of University IT Policies, Standards, and Procedures.

Units must have a process in place to prioritize active management of specific vendors based on risk and criticality. Unit management may determine criteria for prioritizing vendors, but should take into account at least:

  • Classification of University information to which the vendor may have access, particularly Information Classification Standard Tier 2 or 3 (Use of a standard assessment or questionnaire to determine data classification may be used.)
  • risk to University (this may be based upon results of an internal risk-assessment or review of the vendor’s documentation, particularly any third-party assessment they are able to provide);
  • vendor system design; and
  • mission criticality of systems impacted by the vendor.

This evaluation should take place at selection of the vendor, and these criteria should be reviewed periodically during the term of each vendor’s engagement to account for changed circumstances.

Vendor Management Requirements

Vendors identified as top priorities by the unit must be managed, with appropriate documentation, according to at least the following minimum requirements:

Contract phase

  • The unit must maintain access to a copy of the active agreement as long as any provision may be enforceable. For example, if a vendor has held University data that would require a Business Associate Agreement (BAA), then the unit must maintain the agreement and BAA in keeping with the University General Records Retention and Disposition Schedule and applicable law. If the agreement is for the purchase of “perpetual” software licenses, then the agreement must be maintained for the life of the software in use by the unit. If applicable, ensure that a copy of the BAA and underlying agreement have been submitted to the Institutional Privacy Office. (If the unit is not the primary contract-holder, maintaining a summary of the relevant provisions from the primary contracting unit is sufficient.)
  • In collaboration with the appropriate University contracting unit, ensure the agreement contains terms suitable to protection of University data and systems involved (e.g. IT Security standards, indemnification for data breach, cyber-liability insurance, confidentiality, BAA, nondisclosure, return or destruction of data at termination, accessibility requirements, or other appropriate terms). Determine whether language beyond standard Terms & Conditions is needed to meet unit and University requirements.
  • Include in the contract any requirement for ongoing provision of information for review (updated security assessments, Voluntary Product Accessibility Template (VPAT), etc.) and any requirement to cooperate with audit, re-assessment, business continuity planning/testing, etc.


  • Maintain (and update at least annually) a list of top priority vendors for the University unit, and information including at a minimum:
    • Vendor contact name and information
    • Unit responsible-individual contact name
    • Goods or services provided
    • Direction to copy of agreement/terms and other critical vendor documentation
  • For each top priority vendor, at least annually:
    • Classify priority vendors according to category (general, sensitive information, mission-critical) and prioritize monitoring activities according to risk and criticality of services.
    • No less than annually, monitor vendor performance and key security controls in place for the vendor. (Security control monitoring may be limited to review of vendor security documentation and confirmation that any required training of vendor staff under the agreement has occurred, or ensuring that the primary contracting unit has done so). (See Information Security Controls Standard.)  Review should include at minimum:
      • Review the agreement terms/contract and document that review and any performance issues that need to be addressed
      • Confirm that vendor performs adequate business continuity planning and testing of services provided to the University (if applicable)
    • Ensure that vendor staff privileged access to University systems is reviewed in an effective way and/or confirm that vendors hosting University sensitive information have rigorous access review procedures in place.
    • Ensure that vendor staff performing IT changes to University systems follow University Change Management processes and/or confirm that vendors providing IT systems or services adhere to rigorous internal IT change management processes and communicate changes effectively to the University
    • Vendor documentation of their security program, when a risk assessment is involved, should be obtained at least annually and maintained in such a way that the unit has access to the documentation in accord with the General Schedule for Records Retention and Distribution.
    • Ensure that the unit has a responsible individual designated for management of the vendor relationship. Ensure that this individual is able to facilitate required University incident reporting and management by the vendor.


This Standard shall be treated as advisory rather than mandatory until one year after its initial authorization. (This does not supersede existing requirements under law or current University policy).

Other exceptions must be authorized in writing by the Chief Information Officer or their designee(s), or Chief Information Security Officer.


  • University Constituent: UNC-Chapel Hill faculty, staff, students, retirees and other affiliates, contractors, distance learners, visiting scholars and others who use or access UNC-Chapel Hill resources.

Related Requirements

External Regulations and Consequences

University Policies, Standards, and Procedures

Contact Information

Primary Contact

Unit: ITS Policy Office

Phone: 919-962-HELP


Other Contacts

For BAA process assistance, contact the Institutional Privacy Office at or

For issues with vendor performance, contact Purchasing Services at

100% helpful - 1 review


Article ID: 131252
Thu 4/8/21 9:04 PM
Tue 3/8/22 10:23 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
12/15/2020 8:34 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Vice Chancellor for Information Technology and Chief Information Officer
Last Review
Date on which the most recent document review was completed.
12/15/2021 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
11/04/2019 2:15 PM
Next Review
Date on which the next document review is due.
12/14/2024 12:00 AM
Date on which the original version of this document was first made official.
09/18/2018 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services