Skip to main content

Third-Party Integration Procedure

Version 1.0

Purpose

The purpose of this procedure is to ensure third-party integration contracts and service level agreements follow best practices.

Scope

This IT document, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Procedure Statement

  1. You must adhere to the Third-Party Integration Policy.
  2. When engaging with third-party integrations, the following must be arranged:
    1. Third-parties must have a formal, documented, and automated process for granting and revoking access to all systems that process or store Fordham Sensitive Data.
    2. Third-party’s User access rights shall be strictly limited to a need-to-know basis that permits access only to the systems and resources that are required for Users to perform their duties.
    3. Third-party Users with authorized access to Fordham Sensitive Data must be assigned a unique User ID, which must not be shared with any other individuals.
  3. Authenticators used in multi-factor authentication (MFA) must provide secure storage protections.
  4. Access rights must be revoked immediately and in an automated fashion upon the termination of any third-party User with access to the University’s IT Resources or if a change in job role eliminates the requirement for continued access.
  5. Third-parties must annually review User all-access rights authorizations.
  6. All third-party User access to systems storing Fordham Sensitive Data must be audited, maintained, and made available to the University, either upon request or as an automated log transfer.
    1. All systems that process or store University data must maintain an automated audit trail that documents system security events and any event that results in the access, modification, or deletion of University data.
    2. The audit trail must, at a minimum, record the following information for each event:
      1. The identity of any user/subject,
      2. Type,
      3. Date and time,
      4. Source (e.g., email, SFTP record), and
      5. Outcome (success or failure) associated with the event.
    3. The audit logs must be read-only and protected from unauthorized access.
    4. Audit records documenting events (e.g., access, modification, deletion) must be made available to the University either upon request or as an automated log transfer.
    5. The third-party must employ a regular audit log review process (either manually or automated) for the detection of unauthorized access to University data.
  7. Initial data loads typically performed via SFTP must require PGP or GPG encryption of the data before transfer using 4096 bit or greater keys.
  8. Data integrations must be performed via APIs and messaging queues not via flat file transfers.

Definitions

GNU Privacy Guard (GPG, also GnuPG) is a free encryption software that's compliant with the OpenPGP (RFC4880) standard. 

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

PGP encryption (Pretty Good Privacy encryption) is a data encryption computer program that gives cryptographic privacy and authentication for online communication. It is often used to encrypt and decrypt texts, emails, and files to increase the security of email.

Related Policies and Procedures

Implementation Information

Review Frequency: Annual
Responsible Person: Director, IT Risk and Data Integrity
Approved By: CISO
Approval Date: November 25, 2019

Revision History

Version: Date: Description:
1.0 11/25/2019 Initial document