第三方安全管理策略

上次审查:2022年10月6日
最后修改日期:2022年10月6日

  1. 介绍

    This policy aims to ensure that all contracts and agreements between the University of Denver and third parties have acceptable levels of information security and information governance 流程 to ensure that University data is protected and managed in line with statutory requirements and best practices.
    此政策适用于所有供应商, 承包商, 咨询顾问, 合作伙伴, and third parties that use or have access to or manage information on behalf of the University.

  2. 政策概述

    The University has established management practices to control security risks associated with third-party engagements.
    The University has established minimum security requirements for third-party access to its systems and data.

  3. 政策过程

    作为正在进行的尽职调查的一部分, the University conducts risk management assessments of its third-party relationships. It sets security requirements commensurate with the level of risk and complexity, 包括合规和监管风险.

    1. 第三方管理
      1. 安全审查
        1. Perform pre-contract due diligence to assess the security of third parties and their system, 应用程序, 或者服务——IT安全, 金融稳定, 声誉, 等. 见附录A表1
        2. Security reviews of third-party relationships will be evaluated commensurate with the level of risk and complexity – based on third-party classification. 见附录A表1
        3. 信息安全 will review the security assessment and determine if the third party meets the University’s security requirements; if the third party does not meet to Universities expectations, 补偿控制必须实施并重新评估.
      2. 承包协议
        1. 签署数据处理附录(DPA)(如适用).
        2. 最低安全要求 must be included in third-party contracts. The CISO will develop and maintain a set of security requirements included in third-party contracts. 参见第三方合同安全要求.
        3. Third-party must sign a Non-Disclosure Agreement (NDA) before giving access to University systems and data.
      3. Third parties must be classified based on business criticality and data sensitivity it is expected to hold, 处理或访问.
      4. The University has adopted a minimum set of security requirements for third-party access. See third-party access security requirements outlined in the Contractors and Vendors section of the User Account and Access Management policy.
      5. 第三方合同必须被跟踪. Unless otherwise specified, the contract owner is designated as the 杜联络.
      6. Third parties must perform periodic security reviews throughout the lifecycle of the relationship. 见附录A表3.
      7. 合同终止后, the University must work with the third party to have its data returned or destroyed.
         
    2. 法规遵循需求
      1. HIPAA Compliance – Contracts with third parties that handle protected health information (PHI) should adhere to the same general guidelines as other contractual relationships in which the University is involved.
      2. FERPA Compliance - Contracts with third parties that handle education records, 包括个人身份信息(FERPA), shall adhere to the same general guidelines as other contractual relationships in which the University is involved.
      3. GDPR Compliance – Contracts with third parties that handle personal data (PD) from a European Union (EU) citizen are involved; the third party will likely have to adhere to GDPR, 包括尊重数据主体的权利, 包括数据可以或不可以存储在哪里.
         
    3. 异常
      异常 to this policy must be reviewed and approved by IT management.

     

  4. 定义
  • 信息安全:大学的信息安全团队.
  • 杜联络: Typically, a business manager has requested/contracted with a third party.
  • 第三方: Vendors, 承包商, and business 合作伙伴 the University has a contract with.

     

    附录A
    表1:基于数据分类的第三方评估流程

     


    数据分类/数据类型

    安全问卷/ SOC2或同等学历

    信息安全检查

    单位能承受风险吗?

    公共

    推荐

    可选/光检查

    是的

    内部

    推荐

    是的/光检查

    No

    保密

    要求

    是的/标准审查

    No

    敏感或受限制
    (hipaa / ferpa / pii / cui / pci / cpa)

    要求

    是/标准审核+ HIPAA/FERPA/PCI审核要求

    No

    表2:第三方评估和合同文件


    数据安全文档

    责任

    需求描述

    请求第三方安全审查

    杜单位

    要求 at the start of third-party contracting 过程 and when requesting IA data classification determination; or evaluation of alternative documentation from vendors.

    最低安全要求

    采购服务

    合同的最低安全要求.

    资料保障附录(或同等资料)

    采购服务

    要求 for all agreements and contracts where a third-party accesses, 流程, or maintains any type of institutional data classified as 保密 and Sensitive; 推荐 for data classified as 内部 (or unit can accept risk); not required for data classified as 公共.

    安全调查问卷

    采购服务

    要求 to be completed prior to contract award or agreements with prospective third-party that will access, 过程, 或维护分类为机密或敏感的数据.

    第三方安全审查备忘录

    信息安全

    Review memo outlines any cybersecurity risks identified as part of the security review 过程, 任何建议及资讯安全网的处置.

    安全例外

    信息安全

    Identified third-party security issues are documented and signed of by DU Unit leadership and 它的领导. 至少每年审查一次. Included in the cybersecurity risk report to senior leadership

    支付卡信息合规性证明

    商家服务

    要求 annually from a Qualified Security Assessor (QSA) (or be listed as a Level 1 provider on VISA website).

    表3:第三方安全审核


    检查类型

    需要/审核的文件类型

    结果

    安全光
    • Third-party provided 应用程序/service security information
    • 安全记分卡信息
    • 第三方违约信息
    • 添加到安全审查跟踪文档中

    第三方安全审查备忘录(电子邮件)

    标准的审查
    • Third-party provided 应用程序/service security information
    • 安全记分卡信息
    • 第三方违约信息
    • 现场评估(根据需要)
    • 安全问卷或SOC报告
    • 添加到安全审查跟踪文档中

    第三方安全审查备忘录(电子邮件或文件)

    定期评审
    • Review risk assessments conducted by an unaffiliated third-party, DU安全问卷或SOC 2报告
    • 审查SLA,违规,安全事件
    • 持续的第三方安全性能
    • Vulnerability scans on third-party equipment connected to the University’s network
    • Any weaknesses or deficiencies identified during an independent or organizational assessment of a third party will require a plan from the third party for making the needed improvements
    • (As needed) Onsite reviews including walk-through/visual impaction of facilities, interview with onsite personnel and review of policies and procedures

    第三方安全审查备忘录(电子邮件或文件)

    版权 © 2023.  版权所有.

    " class="hidden">CNTV汽车台