Third-Party Integration Policy
The purpose of this policy is to ensure third-party integration contracts and service level agreements (SLA) follow best practices to keep University IT Resources secure and running optimally.
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
- Third-party applications must integrate with the University’s authentication services (e.g., CAS, SAML, SSO) for end-user and administrative access.
- Third-party integrations must connect via an Application Programming Interface (API).
- Third-parties must allow the ability to audit controls.
- Third-parties must allow logging accessibility (e.g., troubleshooting, security, monitoring, modifying verbosity).
- Third-parties must provide SLA, disaster recovery, and business continuity plans.
- The third-party’s disaster recovery plan should match the University’s service-level expectations.
- Third-parties should attest to or allow Fordham to validate the disaster recovery and business continuity plans.
- Third-parties must follow the Data in Transit and Data at Rest policies.
- Third-parties must demonstrate SSAE 16/18 SOC2 Type I or II or similar certification to ensure the University’s data is secure.
- Third-parties must submit to Fordham IT’s Third-Party Risk Management framework.
- Users engaging a third-party service must follow the practices outlined in the Third-Party Integration Procedure.
- Third-party services must abide by the University’s provisioning and de-provisioning policies and procedures.
- When the University’s authentication services are not applicable, local accounts ownership/permissions should match the University’s Acceptable Use of IT Infrastructure and Resources.
- The Chief Information Security Officer (CISO) must authorize any deviations from the requirements.
An application program interface (API) is a set of functions or procedures to integrate and bridge communication between various application modules and integrate the app with other third-party applications.
Central Authentication Service (CAS) permits Users to access multiple applications while providing their credentials (e.g., name, password).
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Security Assertion Markup Language (SAML) is a current standard for session-based password-less authentication between an Identity Provider (University) and a Service Provider (Third-Party Application).
Single sign-on (SSO) is a session and User authentication service that permits Users to apply one set of login credentials (e.g., name, password) to access multiple applications.
A third-party is any non-Fordham entity that provides a product or service and has access to University IT Resources.
Third-party integration is the process of connecting separate subsystems (components) into a single, more extensive system that functions as one.
Related Policies and Procedures
- Acceptable Use of IT Infrastructure and Resources
- Business Continuity and Disaster Recovery
- Data Classification Guidelines
- Data Classification and Protection Policy
- Data at Rest Policy
- Data in Transit Policy
- Provisioning and Deprovisioning
- Third-Party Integration Procedure
|Responsible Person:||Director, IT Risk and Data Integrity|
|Approval Date:||November 25, 2019|
|1.1||12/04/2020||Updates to the policy statement and related policies|
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to UISO written policies may be met with University sanctions.