IT Vendor Management Policy

Purpose

To ensure that IT vendors are taking appropriate steps to protect Wesleyan data.

Scope

This policy covers all vendors who provide software that stores, processes, or transmits restricted or confidential information or whose software interfaces with Wesleyan systems that store, process, or transmit restricted or confidential information. This policy also covers all consultants working on Wesleyan systems that store, process, or transmit restricted or confidential information.

Policy

Contract process

Before signing a contract, the vendor will provide Wesleyan University with a SOC2 report, a completed HECVAT document, or a comparable document outlining the information security controls the vendor is using. The contract must include language confirming that the vendor uses, at a minimum, reasonable commercial security measures. And the contract must specify that, in the event of a breach of a vendor system, the vendor is responsible for notifying Wesleyan’s Chief Information Security Officer within 72 hours of the detection of the breach.

Annual review

The Chief Information Security Officer will contact each vendor annually to request a copy of their current SOC2 report, completed HECVAT document, or comparable document outlining the information security controls that the vendor is using.

Appendix

Reasonable commercial security measures

The following is a non-exhaustive list of what Wesleyan considers to be reasonable commercial security measures:

  • Patches are installed within 90 days of release, with critical patches being installed within 30 days of release. Patches are applied to both the application and the underlying operating system.
  • Password strength is in line with NIST Special Publication 800-63B. A copy of this document is available at https://pages.nist.gov/800-63-3/sp800-63b.html.
  • Multi-factor authentication is used.
  • Deprecated encryption ciphers are not used.
  • All data transfers will take place across encrypted channels. When that is not possible, all data being transferred will be contained in an encrypted file using PGP or a comparable program.

Approval History

2024-01-30 Policy adopted