Prairie View A&M University

Vendor Access

1. General

Vendors play an important role in the support of hardware and software management, and operations for customers. Vendors might have the capability to remotely view, copy, and modify data and audit logs. They might remotely correct software and operating systems problems; monitor and fine tune system performance; monitor hardware performance and errors; modify environmental systems; and, reset alarm thresholds. Setting limits and controls on what can be seen, copied, modified, and controlled by vendors will eliminate or reduce the risk of liability, embarrassment, and loss of revenue and/or loss of trust to the University.

2. Applicability

This procedure applies to vendor accessible university mission critical and confidential information. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with vendor access. The procedures described herein apply to all departments, administrators, and vendors who are responsible for vendor supplied information resources.

3. Definitions

Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g., the Texas Public Information Act.
Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
Mission Critical Information: information that is defined by the University or information resource owner to be essential to the continued performance of the mission of the University or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, and failure to comply with regulations or legal obligations, or closure of the University or department.

4. Procedures

1. Personnel who provide vendors access to University mission critical or confidential information resources shall ensure vendor compliance with all applicable University policies, practices, standards, and agreements including, but not limited to: safety policies, privacy policies, security policies, auditing policies, software licensing policies, and responsible use policies.

2. Vendors who are given access to mission critical and/or confidential information shall have agreements and contracts that define:

a. The University information to which the vendor should have access;
b. How University information is to be protected by the vendor;
c. Acceptable methods for the return, destruction, or disposal of University information in the vendor's possession at the end of the contract;
d. That use of University information and information resources are only for the purpose of the business agreement. Any other University information acquired by the vendor in the course of the contract cannot be used for the vendors own purposes or divulged to others;
e. Vendors shall comply with terms of applicable non disclosure agreements.

3. Prairie View A&M University shall provide an information resources point of contact to the vendor. The point of contact will work with the vendor to make certain the vendor is in compliance with University policies.

4. Each vendor shall provide PVAMU with a list of all employees assigned to University contracts. The list shall be updated and provided to the University within 24 hours of staff changes.

5. Appropriate access authorization for each onsite vendor employee (i.e., University affiliate) shall be specified by the resource owner according to the criticality of the information resource.

6. Vendor personnel shall report all security incidents to the Information Technology Services Help Desk at 936-261-2525.

7. The responsibilities and details of any vendor management involvement in University security incident management shall be specified in the contract.

8. The vendor must follow all applicable university change control processes and procedures.