UConn Logo banner
 
University Policies e-Library
 
Search for a Policy
 
Browse UConn Policies
Policies By Title
Policies By Effective Date
Policies By Applies To
 
Browse Department Guidelines/Policies
Policies By Title
Policies By Effective Date
Policies By Department
Policies By Applies To
 
Text Only Version
 
ePolicy Administration
University Policy Details Print View
Title: Third Party Access to IT Resources
Author: University Information Technology Services
Effective Date: 08/31/2008
Applies To: Employees,Other
Last Reviewed Date: 11/18/2008
Description: Third Party Access to IT Resources
For More Information Contact: Director of IT Security, Policy and Quality Assurance
Contact Telephone Number: 860-486-4357

Third-party Access to Information Technology Resources


Background and Reasons for the Policy: There is often a business need for the University to provide vendors and other non-affiliated third parties access to the University's information technology resources. Vendors and other third parties often play an important role in the support of University of Connecticut information technology resources. In some cases, these entities access (or have access to) Non-Publicly Available data. University Data must be protected to comply with the policies of the University and to meet requirements of Federal and State laws such as the:

  • Family Rights and Privacy Act (FERPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Electronic Communications Privacy Act (ECPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Children's Online Privacy Protection Act (COPPA)
  • Freedom of Information Action (FOIA)
  • Connecticut Personal Data Act

Purpose of Policy: The purpose of this policy is to protect the University's Information Technology Resources by establishing the rules for granting vendors and other third-parties access to the University of Connecticut's Information Technology Resources and support services, and defining vendor and other non-affiliated third-party responsibilities once access to those resources has been provided.

Expected Institutional Outcome: It is expected that this policy will reduce the security and privacy risks and liability associated with granting vendors and other non-affiliated third-parties access to the University's Information Technology Resources.

 

Definitions:

Information Technology Resources: Any data or information stored in digital form and the computer systems or other means used to access that information.

Non-Publicly Available: Information that an individual knows or reasonably should know has not been made available to the general public.

Official University Webpages: Official University of Connecticut webpages are those that have been created by the University, its campuses, colleges, schools, departments or other administrative unit, for University business. Official University webpages clearly convey a relationship to the entire University and support and advance the University's mission.

Publicly-Available: Any information that is either published on one of the Official University webpages, the Undergraduate or Graduate Catalog, or other official University publication.

University Data: Items of information that are collected, maintained, and utilized by the University for the purpose of carrying out institutional business subject to contractual or statutory regulations. University Data may be stored either electronically or on paper and may be of many forms (including but not limited to: text, graphics, images, sound, or video). Research data, scholarly work of faculty or students, and intellectual property that do not contain personally identifiable information or other data protected by law or University policy are not covered by this policy.

 

Data Steward: The entity/entities or office/offices that are delegated by the President and/or his designee(s) with the policy-level responsibility for establishing definitions of the data assigned to him/her (i.e. defined portions of University Data) and developing general procedures and guidelines for the management, security and access to those data sets, as appropriate.

Applicability of Policy: This policy applies to any department within the University that stores, uses, or transmits electronic data that is subject to State or Federal regulations that require security protections for data covered by those regulations.  The policy is recommended for all departments that have data that should be protected from unauthorized disclosure, interrupted availability, or damage.

Policy Statement: Prior to granting a vendor or other non-affiliated third-party access to Non-Publicly Available University Information Technology Resources, each impacted department within the University that maintains a relationship with a product or service vendor or other non-affiliated third-party that may intentionally or unintentionally be given access to Non-Publicly Available data will ensure that the vendor or other third party non-affiliates has formally agreed to protect the security of that data.  These agreements will include the following points:

1.  The level of access granted to the vendor or other third-party non-affiliates has been limited to those University of Connecticut information technology resources that are required to carry out the specified business need of the University. The access must be enabled for specified tasks and functions, and limited to specific individuals and only for the time period required to accomplish approved tasks. Vendor access must be uniquely identifiable, and password management must comply with the University of Connecticut Password Security Standards. Appropriate procedures for terminating access must be followed upon the departure of a vendor employee from the contract/agreement or upon the termination/completion of the contract/agreement.

2.  Prior to granting a vendor or other third-party non-affiliate access to University of Connecticut information technology resources, the vendor will be required to sign an agreement/contract with the University that specifies:

  • The University of Connecticut information technology resource(s) to which the vendor will be granted access
  • The business purpose for which access is to be granted and limiting access to that purpose
  • The information the vendor may have access to
  • A statement indicating that the vendor agrees to comply with all applicable Federal and State laws and regulations and University policies with respect to preserving the confidentiality of the information to which they may have access and that they will not disclose in any way the information or the existence of the information, and that in the event any person(s) seek to access protected and confidential data or information, that such access shall be through the University, and that the vendor shall only retrieve such data or information as identified by the University or as otherwise required by Federal and/or State law.
  • The safeguards that the vendor intends to utilize to protect the University's information
  • The acceptable method(s) for the return, destruction or disposal of the University of Connecticut's information in the vendor's possession at the end of the contracted period or completion of the service
  • A statement indicating that any information acquired by the vendor in the course of the contract/agreement cannot be used for the vendor's own purposes or divulged to others
  • That the vendor will restrict access to University of Connecticut data/resources to only those vendor employees who are required to provide the service
  • The vendor agrees to hold the University harmless for any suits resulting from their negligence or failure to abide by terms of the contract
  • Vendor will take all reasonable steps, based upon relevant industry standards to protect the University's data/resources from corruption, tampering, or other damage
  • Vendor agrees that in the event that a security breach of its systems or processes exposes the University's non-Publicly Available data to a third party, that the vendor will take immediate steps to limit and mitigate such security breach as well as provide immediate notification and full information, if known, regarding the breach to the University.

3.  Vendors and other third-party non-affiliates are expected to adhere to all applicable Federal and State statutes and University policies, including the University's Security Policy and the Individual Responsibilities with Respect to Appropriate Use of Information Technology Resources policy, and must follow all applicable University of Connecticut change control processes and procedures.

4.  The University of Connecticut will provide a point of contact for the vendor. This contact person will work with the vendor to make certain that the vendor is in compliance with these statutes and policies.

5.  Each vendor must provide a list of employees working on the contract/agreement. This list must be updated and provided to the University of Connecticut within 48 hours of staff changes. 

  • Each vendor employee with access to Non-Publicly Available University of Connecticut information must be approved to access that information by the Data Steward of that information.
  • Any vendor employee who is required to be on site at the University of Connecticut in order to carry out the terms of the contract/agreement is expected to be able to provide adequate identification if requested, and the custodian of the specific information technology resource is expected to take the appropriate steps to verify the authorization for the vendor employee to access that specific resource.
  • Vendor personnel must report all security incidents directly to the UITS Director of IT Security, Policy and Quality Assurance at (860) 486-8255.  If vendor management is involved in University of Connecticut security incident management, the responsibilities and details must be specified in the contract/agreement.

Responsibilities:  Any department and/or individual entering into a relationship with a product or service vendor or other non-affiliated third party that may result in access to Non-Publicly Available data is responsible for ensuring the completion and signing of a confidentiality agreement that specifies instructions concerning the data to which the vendor or other on-affiliated third party may have access.

The Purchasing Department should be contacted for assistance in developing all contracts and agreements.

Enforcement and Review:

The Chief Information Officer has overall responsibility for this policy.

The Chief Information Officer will review this policy on a bi-annual basis and respond to formal complaints resulting from the implementation of this policy.

Any individual who suspects a violation of this policy may report it to the Compliance Office in the Office of Audit, Compliance and Ethics at (860) 486-4526, or anonymously through the Reportline (https://www.compliance-helpline.com/uconncares.jsp). Violations of this policy may result in the loss of vendor and/or other third-party non-affiliate access to University of Connecticut information technology resources, removal of the vendor and/or third-party non-affiliate from University of Connecticut facilities, termination of vendor and/or third-party non-affiliate contract/agreement, and criminal or civil charges based on the nature of the violation.

 

Last updated: August 2008

 

Any questions concerning the University Policies e-Library contact:
UITS Help-Center (860-486-4357) or Email: HelpCenter


       
A-Z INDEX        UCONN HOME        TEXT-ONLY