Third-Party Integration Policy
Version 1.2
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to ensure contracts and Service Level Agreements (SLA) follow best practices for third-party integrations and that University’s IT Resources are secure.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Third-party applications must integrate with the University’s authentication services (e.g., CAS, SAML, SSO) for end-user and administrative access.
- Third-party integrations must connect via an Application Programming Interface (API).
- Third-parties must allow the ability to audit controls.
- Third-parties must allow logging accessibility (e.g., troubleshooting, security, monitoring, modifying verbosity).
- Third-parties must provide SLA, disaster recovery, and business continuity plans.
- The third-party’s disaster recovery plan should match the University’s service-level expectations.
- Third-parties should attest to or allow Fordham to validate the disaster recovery and business continuity plans.
- Third-parties must follow the Data in Transit, Data at Rest policies, and Data Classification Guidelines.
- Third-parties must demonstrate SSAE 18, SOC2 Type I or II, or similar certification to ensure the University’s data is secure.
- Third-parties must submit to the Office of Information Technology’s Third-Party Risk Management framework.
- Users engaging in a third-party service must follow the practices outlined in the Third-Party Integration Procedure.
- Third-party services must abide by the University’s provisioning and de-provisioning policies and procedures.
- When the University’s authentication services are not applicable, local accounts ownership/permissions should match the University’s Acceptable Use of IT Infrastructure and Resources.
- The Chief Information Security Officer (CISO) must authorize deviations from this policy's requirements.
Definitions
An application program interface (API) is bridged communication between various modules and integrates with other third-party applications.
Central Authentication Service (CAS) permits an authorized user to access multiple applications.
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Security Assertion Markup Language (SAML) is a current standard for session-based password-less authentication between an identity provider (University) and a service provider (third-party application).
Single Sign-On (SSO) is a session and user authentication service that permits Users to apply one set of login credentials (e.g., name, password) to access multiple applications.
A Third-Party is any non-Fordham entity that provides a product or service.
Related Policies and Procedures
- Acceptable Use of IT Infrastructure and Resources
- Business Continuity and Disaster Recovery
- Data Classification Guidelines
- Data Classification and Protection Policy
- Data at Rest Policy
- Data in Transit Policy
- Provisioning and Deprovisioning
- Third-Party Integration Procedure
Implementation Information
Review Frequency: | Triennial |
---|---|
Responsible Person: | Senior Director of IT Security and Assurance |
Approved By: | CISO |
Approval Date: | November 25, 2019 |
Revision History
Version | Date | Description |
---|---|---|
1.0 | 11/25/2019 | Initial document |
1.1 | 12/04/2020 | Updated policy statement and related policies |
1.2 | 07/26/2023 | Updated purpose and policy statements |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.