SP 6-10x – Third Party Management

Colorado Community College System / System Procedure


SP 6-10x

APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021

REFERENCES:

Board Policy (BP) 6-10, Cyber Security Policy
System Procedure (SP) 6-10a, Acceptable Use of Information Assets
System Procedure (SP) 6-10s, Remote Access

APPROVED:

/ Joe Garcia /
Joseph A. Garcia
Chancellor

BASIS

This procedure documents the requirements for entering, maintaining, and monitoring business relationships with third parties, and ensuring that Cyber Security Procedures are followed for the protection of the Colorado Community College System and its Colleges (“CCCS”) Information Systems and Assets.

APPLICATION

This procedure applies to employees, personnel affiliated via third party contracts, and volunteers that have access to Information Systems and Assets that are owned or leased by CCCS.

DEFINITION

Third Party Provider
A Third Party Provider is defined as a service provider, integrator, vendor, or instructional partner that is external to CCCS.

PROCEDURE

The System Chancellor delegates to the System Vice Chancellor for Information Technology (“IT”) responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.

CCCS works with various Third Party Providers. Such interactions often require the disclosure of, or access by the Third Party Provider, to Sensitive or Restricted information. Prior to disclosing such information to the Third Party Provider, the intended recipient must be authorized in writing to receive the information and CCCS must have confidence that the information security measures adopted by the Third Party Provider will protect the confidentiality and integrity of the information.

Third Party Selection
CCCS shall exercise appropriate due diligence in the selection of Third Party Providers.

Contract Requirements

  • Arrangements involving Third Party Provider access to Sensitive or Restricted CCCS information shall be based on a formal written contract or purchase order.
  • The contract or purchase order shall contain or reference assigned data protection responsibilities.
  • CCCS shall require by contract or purchase order that the Third Party Provider implement reasonable administrative, technical and physical safeguards to safeguard Sensitive or Restricted information that, at a minimum, meet CCCS Cyber Security Procedure requirements.

Contract Approvals

  • System and Colleges shall implement a review and approval process for contracts that involve the disclosure of restricted information

Secure Transmission of Information
Prior to transmission of Sensitive or Restricted CCCS information to a Third Party Provider, the System IT Department (“System IT”) or College IT Department (“College IT”) must determine a secure and effective method for providing the Third Party Provider with such information.

Direct Connectivity to the CCCS Network
Third Party Providers who will have direct access to the CCCS network, either remotely or onsite, shall agree in writing to abide by CCCS’s Cyber Security Procedures. Additionally, the Third Party Provider must complete CCCS’s security awareness training prior to being granted access.

Management and Monitoring

  • IT services provided by Third Party Providers that have access to Sensitive or Restricted information shall be governed by appropriate and approved service level agreements. CCCS shall monitor and enforce these agreements. Third Party Provider compliance with agreed-upon security procedures shall also be monitored and enforced.
  • Any changes to the security posture of services provided by Third Party Providers are to be agreed upon in writing prior to the changes taking place with the service level agreements being amended accordingly.

Contract Retention
The CCCS contract custodian shall securely retain official copies of Third Party Provider contracts, agreements, memoranda of understanding, etc. System IT or College IT may retain duplicate copies of such documentation to facilitate management and monitoring.

REVISING THIS PROCEDURE

CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.