2.6 Vendor Management

quote block

Vendors or third-party contractors may access the University’s Information Technology Resources or Institutional Information only if an appropriate agreement is established, ensuring compliance with applicable information security and privacy regulations and standards, based on the type of Institutional Information involved. Please consult the University Vendor Management Plan before initiating a contractual process to understand and address the applicable compliance controls.

USU Policy 5200.2.6 quote block

quote block

Related Policies:

Why

Utah State University (USU) relies on third-party vendors and contractors to provide critical services, software, and infrastructure. However, granting external entities access to Institutional Information and IT Resources introduces security and compliance risks, including data breaches, unauthorized access, and regulatory violations. Without proper vendor oversight, USU risks exposure to security vulnerabilities, legal liabilities, and operational disruptions.

To mitigate these risks, all vendor engagements must include appropriate agreements that enforce compliance with relevant information security and privacy regulations, such as FERPA, HIPAA, GDPR, and GLBA. USU Legal will oversee vendor management processes, ensuring that contracts include necessary security controls and compliance requirements. Additional guidance and requirements for vendor security reviews will be provided through upcoming resources on the USU Legal website. By following the University Vendor Management Plan, USU ensures that third-party risks are effectively managed, security expectations are clearly defined, and university data remains protected.

How

USU requires all third-party vendors and contractors with access to Institutional Information or IT Resources to undergo a security and compliance review before engagement. The USU Legal team will oversee vendor contract management, ensuring that agreements include necessary security provisions, regulatory compliance clauses, and data protection requirements. The University Vendor Management Plan will provide step-by-step guidance on evaluating vendor risks, defining security expectations, and enforcing contractual obligations.

Access to Institutional Information by third parties will be granted only when appropriate safeguards are in place, such as data encryption, access controls, and compliance attestations. Resources on the USU Legal website will provide detailed procedures and compliance guidelines to assist departments in managing vendor relationships effectively. These measures ensure that USU maintains data security, regulatory adherence, and risk mitigation when working with external vendors.