Third Party Sensitive Data Handling Inventory
Version 2.0
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to ensure that an inventory of third-party vendors who process Fordham Protected and Fordham Sensitive Data is maintained and updated.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Where applicable, DevOps and Information Security and Assurance should keep an inventory (e.g., “PACE List,” ReposITory, ServiceNow, CMDB) of all third-party vendors and service providers who process Fordham Protected and Fordham Sensitive Data and follow the Data Classification and Protection Policy, Data Classification Guidelines, Data at Rest Policy, and the Data in Transit Policy.
- Data Owners and Custodians must follow the Business Continuity and Disaster Recovery Policy to ensure the continuity and recovery of the University’s business following the loss of IT Resources.
- Where applicable, DevOps and Information Security and Assurance should keep an inventory (e.g., “PACE List,” ReposITory, ServiceNow, CMDB) of all third-party vendors and service providers who process Fordham Protected and Fordham Sensitive Data.
- Data Owners are responsible and accountable for the data in the designated inventory (i.e., “PACE List”).
- Data Custodians must work with the Data Owners to classify the criticality of their app (e.g., Mission Critical, Business Critical, or neither) in the inventory according to the level of impact it has on Fordham University.
Definitions
Business Critical is an IT Resource that requires special management attention because of its importance to a particular business entity, its high development, operating, or maintenance costs, or its significant role in the business programs, finances, property, or other resources.
Data Custodian is the individual to whom day-to-day actions have been assigned by the Data Owner and is responsible for storing, maintaining, and protecting information.
Data Owner(s) are responsible for the information, security, and use of a particular set of information.
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Mission Critical is defined as an IT Resource that requires utmost attention because of its importance to the University's mission, its high development, operating, or maintenance costs, or its significant role in the administration of agency programs, finances, property, or other resources.
Third-party risk management is the process of controlling activities that could potentially lead to positive or negative results due to outsourcing specific functions and operations to outside parties.
Related Policies and Procedures
- Business Continuity and Disaster Recovery Policy
- Data Classification Guidelines
- Data Classification and Protection Policy
- Data at Rest Policy
- Data in Transit Policy
Implementation Information
Review Frequency | Annual |
---|---|
Responsible Person | Senior Director of IT Security and Assurance |
Approved By | CISO |
Approval Date | December 12, 2022 |
Revision History
Version | Date | Description |
---|---|---|
1.0 | 12/12/2022 | Initial document |
1.1 | 11/22/2023 | Updated Policy Statement |
2.0 | 03/18/2024 | Updated Policy statement, definitions, and policy disclaimer |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.