Third-Party Integration Policy
The purpose of this policy is to ensure third-party integration contracts and service level agreements (SLA) follow best practices to keep University IT Resources secure and running optimally.
This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
- Third-party applications must integrate with the University’s authentication services (e.g., CAS, SAML, SSO) for end-user and administrative access.
- Third-party integrations must connect via an application programming interface (API).
- Third-parties must allow the ability to audit controls.
- Third-parties must allow logging accessibility (e.g., troubleshooting, security, monitoring, modifying verbosity).
- Third-parties must provide SLA, disaster recovery, and business continuity plans.
- The third-party’s disaster recovery plan should match University service-level expectations.
- Third-parties should attest to or allow Fordham IT to validate the disaster recovery and business continuity plans.
- Third-party must follow the Data in Transit and Data at Rest policies.
- Third-party must demonstrate SSAE 16/18, or similar certification to ensure the University’s data is secure.
- Third-parties must submit to Fordham IT’s third-party risk management framework.
- Users engaging a third-party service must follow the best practices outlined in the Third-Party Integration Procedure.
- Third-party services must abide by University provisioning and de-provisioning policies and procedures (e.g., Human Resources’ provisioning and de-provisioning processes).
- When University’s authentication services are not applicable, local accounts ownership/permissions should be managed per University standards.
- The Chief Information Security Officer (CISO) must authorize any deviations from the requirements.
An application program interface (API) is a set of functions or procedures, which are used to integrate and bridge communication between various modules of an application and to integrate the app with other third-party applications.
Central Authentication Service (CAS) is to permit a user to access multiple applications while providing their credentials (e.g., name, password) only once.
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Security Assertion Markup Language (SAML) is a current standard for session-based password-less authentication between an Identity Provider (The University) and a Service Provider (Third-Party Application).
Single sign-on (SSO) is a session and user authentication service that permits users to apply one set of login credentials (e.g., name, password) to access multiple applications.
SSAE 16 or 18 SOC2 audit types:
- Type I occurs when auditors test the accuracy of a service provider's description and assertion.
- Type II is when the first audit is combined with the implementation and effectiveness of the controls for a specific period.
A third-party is any non-Fordham entity that provides a product or service and has access to University IT Resources.
Third-party integration is the process of connecting separate subsystems (components) into a single, more extensive system that functions as one.
Related Policies and Procedures
- Data Classification Guidelines
- Data Classification Policy
- Data at Rest Policy
- Data in Transit Policy
- Third-Party Integration Procedure
|Responsible Person:||Director, IT Risk and Data Integrity|
|Approval Date:||November 25, 2019|
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.