Skip to Main Content
Information Technology Services

Standard 20: Vendor and Third-Party Controls

  1. UNF recognizes that vendors and other contractors serve an important function in the development and/or support of services, hardware, and software and, in some cases, the operation of computer networks, servers, and/or applications. This standard applies to contracts entered into by UNF that involve third party access to or creation of information resources or University data by a third party.
  2. Contracts. Contracts of any kind, including purchase orders, memoranda of understanding (MOU), letters of agreement, or any other type of legally binding agreement, that involve current or future third party access to or creation of information resources and/or data must include terms determined by the office of the General Counsel as sufficient to ensure that vendors and any subcontractors or other third parties that maintain, create, or access University data as the result of the contract comply with all applicable Federal and State security and privacy laws, this information resources and use policy, and any applicable University policies, procedures, or standards, and must contain terms that ensure that all University data affected by the contract is maintained in accordance with those standards at all times, including post-termination of the contract.
  3. The data owner, UNF procurement officers and staff, the UNF Chief Information Security Officer (CISO), and Privacy Officer are jointly and separately responsible for ensuring that all contracts are reviewed to determine whether the contract involves third party access to, outsourcing, maintenance, or creation of University data; and that all such access, outsourcing, or maintenance fully complies with this standard at all times.
  4. Any contract involving third party provided credit card services must require that the contractor provides assurances that all subcontractors who provide credit card services pursuant to the contract will comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) in the provision of the services.
  5. Vendor or other third-party assessment. Prior to access, maintenance, or creation of University data by a vendor or any other third party, the University must perform an assessment to ensure that:
    1. The vendor has sufficient technological, administrative, and physical safeguards to ensure the confidentiality, security, and integrity of the data at rest and during any transmission or transfer
    2. Any subcontractor or other third party that will access, maintain, or create data pursuant to the contract will also ensure the confidentiality, security, and integrity of such data while it is at rest and during any transmission or transfer
    3. All new and existing data integrations that share UNF data must be documented according to the standards documented by Institutional Research. More information can be found on the data governance website.
  6. As part of the University's assessment of a vendor or other third party, the University may request copies of any self-assessments or third-party assessments that the vendor or third party has access to.
  7. Access control measures. Vendor and other third-party access to University data must be controlled based on data sensitivity and risk. Controls must incorporate the following:
    1. Vendor must represent, warrant, and certify it will:
      1. Not release any University data unless vendor obtains the University's prior written approval and performs such a release in full compliance with all applicable privacy laws, including the Family Educational Rights and Privacy Act (FERPA)
      2. Not otherwise use or disclose University data except as required or permitted by law
      3. Safeguard data according to all reasonable administrative, physical, and technical standards (e.g., such standards established by the University or the National Institute of Standards and Technology)
      4. Continually monitor its operations and take any action necessary to assure the data is safeguarded in accordance with the terms of the UNF information resources use and security policy
      5. Comply with the vendor access requirements that are set forth in this standard
  8. Breach Notification. The following shall be required of the vendor.
    1. If an unauthorized use or disclosure of any University data occurs, the vendor must:
      1. Provide written notice within one business day after vendor's or third party's discovery of such use or disclosure
      2. Satisfy University information requests concerning such unauthorized use or disclosure
  9. Return of data. Within 30 days after the termination or expiration of a purchase order, contract, or agreement for any reason, vendor must either:
    1. Return or securely destroy, as specified by contract or agreement, all data provided to the vendor by the University, including all data provided to vendor's employees, subcontractors, agents, or other affiliated persons or institutions. Written proof (logs, etc.) of the destruction process must be available if requested.
    2. In the event that returning or securely destroying the data is infeasible, provide notification of the conditions that make return or destruction infeasible, in which case the vendor or third party must:
      1. Continue to protect all data that it retains
      2. Agree to limit further uses and disclosures of such data to those purposes that make the return or destruction infeasible for as long as vendor or other third party maintains such data
      3. To the extent possible, de-identify such data