Skip to main content

Members of the University community should respond to the daily VitalCheck prompt at least 30 minutes prior to entering campus.

Third-Party Integration Policy

Version 1.1

Purpose

The purpose of this policy is to ensure third-party integration contracts and service level agreements (SLA) follow best practices to keep University IT Resources secure and running optimally.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • Third-party applications must integrate with the University’s authentication services (e.g., CAS, SAML, SSO) for end-user and administrative access.
  • Third-party integrations must connect via an Application Programming Interface (API). 
  • Third-parties must allow the ability to audit controls.
  • Third-parties must allow logging accessibility (e.g., troubleshooting, security, monitoring, modifying verbosity).
  • Third-parties must provide SLA, disaster recovery, and business continuity plans.
    • The third-party’s disaster recovery plan should match the University’s service-level expectations.
    • Third-parties should attest to or allow Fordham to validate the disaster recovery and business continuity plans.
  • Third-parties must follow the Data in Transit and Data at Rest policies.
  • Third-parties must demonstrate SSAE 16/18 SOC2 Type I or II or similar certification to ensure the University’s data is secure.
  • Third-parties must submit to Fordham IT’s Third-Party Risk Management framework.
  • Users engaging a third-party service must follow the practices outlined in the Third-Party Integration Procedure.
  • Third-party services must abide by the University’s provisioning and de-provisioning policies and procedures.
  • When the University’s authentication services are not applicable, local accounts ownership/permissions should match the University’s Acceptable Use of IT Infrastructure and Resources.
  • The Chief Information Security Officer (CISO) must authorize any deviations from the requirements.

Definitions

An application program interface (API) is a set of functions or procedures to integrate and bridge communication between various application modules and integrate the app with other third-party applications.

Central Authentication Service (CAS) permits Users to access multiple applications while providing their credentials (e.g., name, password).

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Security Assertion Markup Language (SAML) is a current standard for session-based password-less authentication between an Identity Provider (University) and a Service Provider (Third-Party Application).

Single sign-on (SSO) is a session and User authentication service that permits Users to apply one set of login credentials (e.g., name, password) to access multiple applications.

A third-party is any non-Fordham entity that provides a product or service and has access to University IT Resources.

Third-party integration is the process of connecting separate subsystems (components) into a single, more extensive system that functions as one.

Related Policies and Procedures

Implementation Information

Review Frequency: Triennial
Responsible Person: Director, IT Risk and Data Integrity
Approved By: CISO
Approval Date: November 25, 2019

Revision History

Version: Date: Description:
1.0 11/25/2019 Initial document
1.1 12/04/2020 Updates to the policy statement and related policies

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to UISO written policies may be met with University sanctions.