Third Party Management

 General

This section implements Integrated CSU Administrative Manual (ICSUAM) Policy 8040.0.

Management of Third Parties

Any third party that requires access to the University’s information assets must undergo a risk assessment in accordance with Section 2 of this plan. If the third party will require access to Level 1 or Level 2 data, the third party risk assessment must be conducted by the Information Security Officer or designee, in consultation with T&I Leadership.

Annually, the Information Security Officer or designee will review third parties with access to the University’s information assets to verify that the access is still required for business needs.

Granting Access to Third Parties

No third party service provider may receive access to University information assets unless they require that access for a legitimate and documented business need. In any case, each third party service provider may only receive access that is required to accomplish the documented business need. No other access may be provided.

Each third party service provider requiring access to University information assets must have a contractual relationship with the University. The contract must include specific provisions requiring the service provider to protect the University’s information. If a third party will store or transfer Level 1 or Level 2 data, the contract must also include provisions to ensure the secure destruction or disposal of this data.

The Information Security Officer or designee will participate in such contract negotiations to ensure the implementation of appropriate security controls.