Third-Party Integration Procedure

Purpose

The purpose of this procedure is to ensure third-party integration contracts and Service Level Agreements (SLA) follow the University's requirements. These procedures assist in adherence to the Third-Party Integration Policy.

Scope

This IT document, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Procedure Statement

When using third-party integrations, arrange that:

1. Initial data loads typically performed via SFTP, SSH, or HTTPS require PGP or GPG data encryption before transferring using 4096-bit or greater keys.
2. Data integrations are performed via APIs and messaging queues, not by flat-file transfers.
3. Third-parties demonstrate they have a formal, documented, and automated process for granting and revoking access to all systems that process or store Fordham Protected Data or Fordham Sensitive Data.
4. Third-party User access rights are limited to a need-to-know basis that permits access only to the IT Resources required to perform their duties.
5. Third-parties assign unique User IDs, not to be shared with any other individuals when handling Fordham Protected Data or Fordham Sensitive Data.
6. Authenticators used in multi-factor authentication (MFA) be stored securely.
7. Third-parties maintain an IT Resources access audit and annually make it available to the University either upon request or as an automated log transfer. Be sure the audit includes:
   1. System security events
   2. Events that result in the access, modification, or deletion of IT Resources that process or store University data
   3. A record of the following information for each event:
      1. Identity of the user/subject,
      2. Type of event,
      3. Date and time,
      4. Source (e.g., email, SFTP record),
      5. Detection of unauthorized access, and
      6. Outcome (e.g., success, failure) associated with the event.
   4. Read-only audit logs are protected from unauthorized access.
8. Upon the termination of any third-party engagement, revoke User access immediately.
9. Third-party User access is revoked if a job role change eliminates the need to access University's IT Resources.

Definitions

GNU Privacy Guard (GPG, also GnuPG) is a free encryption software compliant with the OpenPGP (RFC4880) standard. 

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

PGP encryption (Pretty Good Privacy encryption) is a data encryption program that gives cryptographic privacy and authentication for online communication. It is often used to encrypt and decrypt texts, email, and files to increase email security.

Related Policies and Procedures

• Data Classification Guidelines
• Data Classification Policy
• Data at Rest Policy
• Data in Transit Policy
• Third-Party Integration Policy

Implementation Information

Revision History