Title
University of North Carolina at Chapel Hill Standard on Information Technology Vendor Management
Introduction
Purpose
- To guide individuals and units at the University of North Carolina at Chapel Hill ("University" or "UNC-Chapel Hill") on responsibilities to manage suppliers of Information Technology (IT) services, software, and systems.
- To manage risk to University information and other assets by creating clear communication and understanding between vendors and University staff.
- To define required security controls monitoring activities.
Scope
People and University units buying IT services, software, and systems, including "zero-dollar" transactions.
Standard
This Standard meets the UNC-Chapel Hill Policy on Responsibility for University-Purchased Goods, Services, and Equipment by:
- explaining what must be done to manage suppliers of IT services, systems, and software; and
- telling units how to keep vendor systems and services compliant with the University IT security program.
The Standard only sets minimum requirements.
Individuals involved in obtaining IT services, software, and systems from outside suppliers are responsible for ensuring that suppliers:
- are held to the terms of their agreement,
- supply everything they agree to deliver, and
- adhere to the applicable parts of University IT Policies, Standards, and Procedures.
Units must have a process in place to rank active management of specific vendors based on risk. Unit management may decide how to rank vendors, but should consider at least:
- classification of University information the vendor may have access to;
- Review the Information Classification Standard Tier 2 or 3. You may use a standard assessment or questionnaire to decide data classification;
- risk to University;
- You can, for example, use the results of an internal risk assessment, a review of the vendor’s documentation or any third-party assessment they are able to provide.
- vendor system design; and
- Mission-criticality of systems the vendor might affect.
This evaluation should take place when the vendor is selected. Review the criteria periodically during the term of each vendor’s engagement to account for changes.
Vendor Management Requirements
The unit should manage vendors identified as top priorities using proper documentation. These are the minimum requirements:
Contract phase
Note: Most purchases using P-Cards do not allow for adequate contract review and negotiation. To meet the requirements of this Standard, only use a P-Card for IT purchases for technology with a Moderate or High IT security protection obligation or involving Tier 2 or 3 data when directed to use that payment method by UNC Procurement Services for a specific purchase.
- The unit must always have access to a copy of the active agreement if any part of it might be enforceable. For example, if a vendor has held University data that would require a Business Associate Agreement (BAA), then the unit must keep the agreement and BAA.
- The University General Records Retention and Disposition Schedule and applicable law will control the duration.
- If the agreement is for the purchase of “perpetual” software licenses, then the agreement must be kept if the software in use by the unit.
- If applicable, make sure that the Institutional Privacy Office has been given a copy of the BAA and the underlying agreement. (If the unit is not the primary contract-holder, keeping a summary of the relevant provisions from the primary contracting unit is enough.)
- Work with the proper University contracting unit and make sure the agreement has terms suitable to protect University data and the systems involved such as:
- IT Security standards,
- indemnification for data breach,
- cyber-liability insurance,
- confidentiality,
- BAA (for Protected Health Information),
- nondisclosure,
- return or destruction of data at termination, and/or
- accessibility requirements.
You may need language beyond standard Terms & Conditions to meet unit and University needs.
- The contract must include requirements for the vendor to supply updated information for review as it applies:
- updated security risk assessments,
- Voluntary Product Accessibility Template (VPAT),
- any applicable cooperation audits or re-assessment,
- business continuity planning/testing, and/or
- or other specific needs.
Monitoring
- Maintain and update at least once a year a list of top priority vendors for the University unit, and information including at least:
- Vendors contact name and information,
- Unit responsible-individual contact name,
- Goods or services provided, and
- Direction to copy of agreement/terms and other critical vendor documentation.
- For each top priority vendor, complete the following at least once a year:
- Classify priority vendors according to category (general, sensitive information, mission-critical). Focus on monitoring activities according to risk and criticality of services.
- Track the vendor performance and key security controls in place for the vendor. Security control monitoring may be limited to reviewing vendor security documentation and confirmation that any required training of vendor staff under the agreement has occurred. In some cases, the responsibility lies with the primary contracting unit to train vendor staff. (See Information Security Controls Standard.) The review should include at least:
- The agreement terms/contract. Document that review and address any performance issues.
- If applicable, confirm that the vendor is doing adequate business continuity planning and tests the services provided to the University.
- Ensure that access to University systems by the vendor’s staff is reviewed. Confirm that the vendors hosting University sensitive information have access review procedures in place.
- Make sure that vendor staff who perform IT changes to University systems follow University Change Management processes. Confirm that vendors supplying IT systems or services are following rigorous internal IT change management processes of their own. They must communicate the changes to the University in a useful way.
- When the University does an IT Security Risk Assessment, make sure you are getting Vendor documentation of their security program and keeping that documentation according to the General Schedule for Records Retention and Distribution.
- Make sure the unit has a responsible individual chosen to manage the vendor relationship. This person must be able to work through required University incident reporting and management involving the vendor.
Exceptions
Exceptions may be authorized in writing by the:
- Vice Chancellor for Information Technology (Chief Information Officer) or people they assign, or the
- Chief Information Security Officer.
Related Requirements
External Regulations and Consequences
University Policies, Standards, and Procedures
Contact Information
Primary Contact
Unit: ITS (Information Technology Services) Policy Office
Phone: 919-962-HELP
Email: its_policy@unc.edu
Other Contacts
For BAA process assistance, contact the Institutional Privacy Office at privacy.unc.edu or privacy@unc.edu.
For issues with vendor performance, contact Purchasing Services at purchasing_team@unc.edu.