Information Technology Vendor Management Standard

Title

University of North Carolina at Chapel Hill Standard on Information Technology Vendor Management

Introduction

Purpose

  • To guide individuals and units at the University of North Carolina at Chapel Hill ("University" or "UNC-Chapel Hill") on responsibilities to manage suppliers of Information Technology (IT) services, software, and systems.  
  • To manage risk to University information and other assets by creating clear communication and understanding between vendors and University staff.  
  • To define required security controls monitoring activities. 

Scope

People and University units buying IT services, software, and systems, including "zero-dollar" transactions. 

Standard

This Standard meets the UNC-Chapel Hill Policy on Responsibility for University-Purchased Goods, Services, and Equipment by: 

  • explaining what must be done to manage suppliers of IT services, systems, and software; and
  • telling units how to keep vendor systems and services compliant with the University IT security program.

The Standard only sets minimum requirements.

Individuals involved in obtaining IT services, software, and systems from outside suppliers are responsible for ensuring that suppliers:

  • are held to the terms of their agreement,
  • supply everything they agree to deliver, and
  • adhere to the applicable parts of University IT Policies, Standards, and Procedures.

Units must have a process in place to rank active management of specific vendors based on risk. Unit management may decide how to rank vendors, but should consider at least:

  • classification of University information the vendor may have access to;
    • Review the Information Classification Standard Tier 2 or 3. You may use a standard assessment or questionnaire to decide data classification;
  • risk to University;
    • You can, for example, use the results of an internal risk assessment, a review of the vendor’s documentation or any third-party assessment they are able to provide.
  • vendor system design; and
  • Mission-criticality of systems the vendor might affect.

This evaluation should take place when the vendor is selected. Review the criteria periodically during the term of each vendor’s engagement to account for changes.

Vendor Management Requirements

The unit should manage vendors identified as top priorities using proper documentation. These are the minimum requirements:

Contract phase

  • The unit must always have access to a copy of the active agreement if any part of it might be enforceable. For example, if a vendor has held University data that would require a Business Associate Agreement (BAA), then the unit must keep the agreement and BAA.
    • The University General Records Retention and Disposition Schedule and applicable law will control the duration.
    • If the agreement is for the purchase of “perpetual” software licenses, then the agreement must be kept if the software in use by the unit.
    • If applicable, make sure that the Institutional Privacy Office has been given a copy of the BAA and the underlying agreement. (If the unit is not the primary contract-holder, keeping a summary of the relevant provisions from the primary contracting unit is enough.)
  • Work with the proper University contracting unit and make sure the agreement has terms suitable to protect University data and the systems involved such as:
    • IT Security standards,
    • indemnification for data breach,
    • cyber-liability insurance,
    • confidentiality,
    • BAA (for Protected Health Information),
    • nondisclosure,
    • return or destruction of data at termination, and/or
    • accessibility requirements.

You may need language beyond standard Terms & Conditions to meet unit and University needs.

  • The contract must include requirements for the vendor to supply updated information for review as it applies:
    • updated security risk assessments,
    • Voluntary Product Accessibility Template (VPAT),
    • any applicable cooperation audits or re-assessment,
    • business continuity planning/testing, and/or
    • or other specific needs.

Monitoring

  • Maintain and update at least once a year a list of top priority vendors for the University unit, and information including at least: 
    • Vendors contact name and information,
    • Unit responsible-individual contact name,
    • Goods or services provided, and
    • Direction to copy of agreement/terms and other critical vendor documentation.
  • For each top priority vendor, complete the following at least once a year:
    • Classify priority vendors according to category (general, sensitive information, mission-critical). Focus on  monitoring activities according to risk and criticality of services.
    • Track the vendor performance and key security controls in place for the vendor. Security control monitoring may be limited to reviewing vendor security documentation and confirmation that any required training of vendor staff under the agreement has occurred. In some cases, the responsibility lies with the primary contracting unit to train vendor staff. (See Information Security Controls Standard.)  The review should include at least:
      • The agreement terms/contract. Document that review and address any performance issues.
      • If applicable, confirm that the vendor is doing adequate business continuity planning and tests the services provided to the University.
    • Ensure that access to University systems by the vendor’s staff is reviewed. Confirm that the vendors hosting University sensitive information have access review procedures in place.
    • Make sure that vendor staff who perform IT changes to University systems follow University Change Management processes. Confirm that vendors supplying IT systems or services are following rigorous internal IT change management processes of their own. They must communicate the changes to the University in a useful way.
    • When the University does an IT Security Risk Assessment, make sure you are getting Vendor documentation of their security program and keeping that documentation according to the General Schedule for Records Retention and Distribution.
    • Make sure the unit has a responsible individual chosen to manage the vendor relationship. This person must be able to work through required University incident reporting and management involving the vendor.

Exceptions

Exceptions may be authorized in writing by the:

  • Vice Chancellor for Information Technology (Chief Information Officer) or people they assign, or the
  • Chief Information Security Officer.

Related Requirements

External Regulations and Consequences

University Policies, Standards, and Procedures

Contact Information

Primary Contact

Unit: ITS (Information Technology Services) Policy Office 

Phone: 919-962-HELP 

Email: its_policy@unc.edu 

Other Contacts

For BAA process assistance, contact the Institutional Privacy Office at privacy.unc.edu or privacy@unc.edu.

For issues with vendor performance, contact Purchasing Services at purchasing_team@unc.edu.

100% helpful - 1 review

Details

Article ID: 131252
Created
Thu 4/8/21 9:04 PM
Modified
Tue 4/16/24 4:12 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
12/15/2020 8:34 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Assistant Vice Chancellor and CISO • ITS - VC - CIO
Last Review
Date on which the most recent document review was completed.
12/13/2023 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
11/04/2019 2:15 PM
Next Review
Date on which the next document review is due.
12/13/2026 12:00 AM
Origination
Date on which the original version of this document was first made official.
09/18/2018 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services

Related Articles (2)

Information Security Controls Standard
This standard defines the minimum security controls for Information Technology systems in use at UNC-Chapel Hill including personal and University-owned devices. Units within the University may apply stricter controls to protect information and systems in their areas of responsibility. The standard applies to each UNC-Chapel Hill Constituent, student, employee, or other for any covered system under their control.
Wireless Standard
The Wireless Standard provides a structure for managing the shared resource of wireless communications spectrum on the UNC-Chapel Hill campus. The UNC-Chapel Hill technology infrastructure is provided to support University operations and its mission of education, service, and research.