Third-Party Engagement Policy
Version 2.0
For Students, Faculty, Staff, Guests, Alumni
Purpose
This policy ensures that contracts and Service Level Agreements (SLAs) adhere to best practices for Third-Party engagements while maintaining the security of the University’s IT Resources.
Scope
This IT security policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Third-Party applications must integrate with the University’s authentication services (e.g., CAS, SAML, SSO) for end-user and administrative access.
- If University authentication services are not applicable, local account ownership and permissions must align with the University's Acceptable Use of IT Infrastructure and Resources
- Third-Party integrations must connect via an Application Programming Interface (API), if applicable.
- Third parties must provide auditing capabilities to assess security and operational controls.
- Logging must be accessible for troubleshooting, security monitoring, and modifying verbosity settings as needed.
- Third parties must provide an SLA, disaster recovery, and business continuity plan.
- The Third-Party’s disaster recovery plan should match the University’s service-level expectations.
- Third parties must attest to or permit the University to validate disaster recovery and business continuity plans.
- Users must ensure third parties comply with the Data in Transit, Data at Rest policies, and Data Classification Guidelines.
- Third parties must demonstrate compliance with industry security standards (e.g., SSAE 18, SOC 2 Type II, ISO 27001).
- Third-Party services must be reviewed by the Office of Information Technology’s Third-Party risk management process.
- Users engaging in Third-Party services must adhere to the Third-Party Integration Procedure.
- Third-Party services must follow the University’s provisioning and de-provisioning policies and procedures.
- Third parties must disclose, as applicable to law or regulations, any N-th Parties (i.e., subcontractors, suppliers, vendors) that provide services involving University data or IT Resources.
- Third parties must contractually ensure that all associated N-th Parties adhere to this policy and meet the University’s security, compliance, and risk management requirements.
- N-th Parties must provide relevant security attestations (e.g., SSAE 18, SOC 2 Type II, ISO 27001) and compliance documentation upon request.
- The University reserves the right to review N-th Party compliance through its Third-Party risk management process.
- If an N-th Party does not meet security or compliance expectations, the University may require the Third Party to implement compensating controls or replace the N-th Party service.
- The Chief Information Security Officer (CISO) must authorize any deviations from this policy’s requirements for both Third and N-th Parties.
Definitions
Application Programming Interface (API) is a set of protocols enabling software communication and integration with third-party applications.
Central Authentication Service (CAS) is an authentication protocol allowing authorized users to access multiple applications.
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Security Assertion Markup Language (SAML) is a session-based authentication standard that enables identity verification between the University and a third-party service.
Single Sign-On (SSO) is a service that allows users to access multiple applications using a single set of login credentials.
A Third-Party is any non-Fordham entity that provides a product or service to the University.
N-th Parties are any subcontractor, supplier, or downstream vendor engaged by a Third-Party to provide services that process, store, or interact with University data or IT Resources. This includes Fourth, Fifth, or any additional level of vendors beyond direct contractual relationships.
Related Policies and Procedures
- Acceptable Use of IT Infrastructure and Resources
- Business Continuity and Disaster Recovery
- Data Classification Guidelines
- Data Classification and Protection Policy
- Data at Rest Policy
- Data in Transit Policy
- Provisioning and Deprovisioning
- Third-Party Integration Procedure
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Senior Director of IT Security and Assurance |
| Approved By: | CISO |
| Approval Date: | November 25, 2019 |
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 11/25/2019 | Initial document |
| 1.1 | 12/04/2020 | Updated policy statement and related policies |
| 1.2 | 07/26/2023 | Updated purpose and policy statements |
| 2.0 | 03/10/2025 |
Updated purpose, added N-th Parties language, renamed the policy (from Integration to Engagement) |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.