Third Party Sensitive Data Handling Inventory

Version 1.0


The purpose of this policy is to ensure that an inventory of third-party vendors who process Fordham Protected and Fordham Sensitive Data is maintained and updated.  


This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked. 

Policy Statement

  • Where applicable, DevOps and Information Security and Assurance should keep an inventory (e.g., “PACE List,” ReposITory, ServiceNow, CMDB) of all third-party vendors and service providers who process Fordham Protected and Fordham Sensitive Data and follow the Data Classification and Protection Policy, Data Classification Guidelines, Data at Rest Policy, and the Data in Transit Policy. 
  • Data Owners are responsible and accountable as identified in the designated inventory. 
  • Data Custodians must work with the Data Owners to classify the vendor in the inventory according to the level of impact on Fordham University’s business operations. 
    • Low-Risk Vendors 
    • Medium Risk Vendors,  
    • High-Risk Vendors, or  
    • Critical Risk Vendors 
  • High –Risk Vendors have the most effect on Fordham’s operations and cybersecurity if they are compromised.
  • The third-party data handling inventory should be reviewed annually by the Data Custodians working with the Data Owners.  


Data Custodian is the individual to whom day-to-day actions have been assigned by the Data Owner and is responsible for storing, maintaining, and protecting information. 

Data Owner(s) are responsible for the information, security, and use of a particular set of information. 

Critical Risk Vendors are critical to operations, and failure or inability to deliver contracted services could result in the organization’s failure.  

High-Risk Vendors have access to data and have a high risk of information loss. As a result, the organization is highly dependent on these vendors from an operational standpoint but is not necessarily mission-critical. 

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services. 

Low-Risk Vendors do not have access to data, and loss of services would not be disruptive to the organization. 

Medium-risk Vendors have limited access to information or whose loss of services would be disruptive to your organization. 

Third-party risk management is the process of controlling activities that could potentially lead to positive or negative results due to outsourcing specific functions and operations to outside parties. 

Related Policies and Procedures

Implementation Information

Review Frequency Annual 
Responsible Person Senior Director of IT Security and Assurance 
Approved By CISO
Approval Date December 12, 2022

Revision History

1.0 12/12/2022 Initial document 

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions. 

 Need Help?

Walk-In Centers

McShane Center 266 | RH
Leon Lowenstein SL18 | LC

View Our Walk-In Hours