{"id":325,"date":"2023-05-18T14:38:39","date_gmt":"2023-05-18T19:38:39","guid":{"rendered":"https:\/\/mitchellhamline.edu\/policies\/?post_type=policy&#038;p=325"},"modified":"2023-09-06T11:07:20","modified_gmt":"2023-09-06T16:07:20","slug":"vendor-management-policy","status":"publish","type":"policy","link":"https:\/\/mitchellhamline.edu\/policies\/policy\/vendor-management-policy\/","title":{"rendered":"Vendor Management Policy"},"content":{"rendered":"<h2>1.0 Background and Purpose<\/h2>\n<p>The purpose of the Mitchell Hamline School of Law (MHSL) Vendor Management Policy is to describe the actions and behaviors required to ensure that due care is taken to avoid inappropriate risks to MHSL, its business partners, and its stakeholders from any of its vendors.<\/p>\n<h3>1.1 Who Needs to Know?<\/h3>\n<p>The MHSL Vendor Management Policy applies to any individuals that interacts, sets up, or manages any MHSL vendors.<\/p>\n<h2>2.0 Policy<\/h2>\n<p><strong>Assessments<\/strong><\/p>\n<ul class=\"default\">\n<li>Vendors granted access to MHSL\u00a0Information Resources\u00a0must sign the MHSL\u00a0Vendor Non-Disclosure Agreement.<\/li>\n<li>Vendors must be evaluated prior to the start of any service and thereafter on an annual basis.<\/li>\n<li>High risk findings must be followed up to verify remediation.<\/li>\n<li>A vendor risk assessment must be performed on vendors with physical or logical access to confidential information or that are considered critical vendors.<\/li>\n<li>Risk assessments must be performed on all requested cloud providers before approval.<\/li>\n<li>Vendors with PCI DSS compliance requirements must have their status reviewed on an annual basis.<\/li>\n<\/ul>\n<p><strong>Management<\/strong><\/p>\n<ul class=\"default\">\n<li>Vendor agreements and contracts must specify:\n<ul class=\"default\">\n<li>The MHSL information the vendor should have access to,<\/li>\n<li>How MHSL information is to be protected by the vendor,<\/li>\n<li>How MHSL information is to be transferred between MHSL and the vendor,<\/li>\n<li>Acceptable methods for the return, destruction, or disposal of MHSL information in the vendor\u2019s possession at the end of the contract,<\/li>\n<li>Minimum information security requirements,<\/li>\n<li>Incident response requirements,<\/li>\n<li>Right for MHSL to audit vendor.<\/li>\n<\/ul>\n<\/li>\n<li>If a vendor subcontracts part of the information technology service provided to the vendor, the vendor is required to ensure appropriate information security practices throughout the supply chain and to notify MHSL.<\/li>\n<li>The vendor must only use MHSL\u00a0Information Resources\u00a0for the purpose of the business agreement.<\/li>\n<li>Work outside of defined parameters in the contract must be approved in writing by the appropriate MHSL point of contact.<\/li>\n<li>Vendor performance must be reviewed annually to measure compliance to implemented contracts or Service Level Agreements (SLA). In the event of non-compliance with contracts or SLAs regular meetings will be conducted until performance requirements are met.<\/li>\n<li>Vendor\u2019s major IT work activities must be entered into or captured in a log and available to MHSL IT management upon request. Logs must include, but are not limited to, events such as personnel changes, password changes, project milestones, deliverables, and arrival and departure times.<\/li>\n<li>Any other MHSL information acquired by the vendor in the course of the contract cannot be used for the vendor\u2019s own purposes or divulged to others.<\/li>\n<li>Vendor personnel must report all security incidents directly to the appropriate MHSL IT personnel within the timeframe defined in the contract.<\/li>\n<li>MHSL IT will provide a technical point of contact for the vendor. The point of contact will work with the vendor to make certain the vendor is in compliance with these policies.<\/li>\n<li>New vendors must provide MHSL a list of key personnel working on the contract.<\/li>\n<li>Vendors with logical access to information resources must provide non-repudiation authentication mechanisms.<\/li>\n<li>Vendors must provide MHSL with notification of key staff changes within 24 hours of change.<\/li>\n<li>Upon departure of a vendor employee from the contract for any reason, the vendor will ensure that all sensitive information is collected and returned to MHSL or destroyed within 24 hours.<\/li>\n<li>Upon termination of contract, vendors must be reminded of confidentiality and non-disclosure requirements.<\/li>\n<li>Upon termination of contract or at the request of MHSL, the vendor must surrender all MHSL badges, access cards, equipment and supplies immediately. Equipment and\/or supplies to be retained by the vendor must be documented by authorized MHSL IT management.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>1.0 Background and Purpose The purpose of the Mitchell Hamline School of Law (MHSL) Vendor Management Policy is to describe the actions and behaviors required to ensure that due care is taken to avoid inappropriate risks to MHSL, its business partners, and its stakeholders from any of its vendors. 1.1 Who Needs to Know? The &hellip; <\/p>\n<p><a href=\"https:\/\/mitchellhamline.edu\/policies\/policy\/vendor-management-policy\/\" class=\"more-link\">Vendor Management Policy<\/a><\/p>\n","protected":false},"template":"","categories":[3],"audience":[6,5],"alpha":[35],"class_list":{"0":"post-325","1":"policy","2":"type-policy","3":"status-publish","5":"category-technology-and-communications","6":"audience-faculty","7":"audience-staff","8":"alpha-v","9":"entry"},"acf":[],"_links":{"self":[{"href":"https:\/\/mitchellhamline.edu\/policies\/wp-json\/wp\/v2\/policy\/325","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mitchellhamline.edu\/policies\/wp-json\/wp\/v2\/policy"}],"about":[{"href":"https:\/\/mitchellhamline.edu\/policies\/wp-json\/wp\/v2\/types\/policy"}],"wp:attachment":[{"href":"https:\/\/mitchellhamline.edu\/policies\/wp-json\/wp\/v2\/media?parent=325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mitchellhamline.edu\/policies\/wp-json\/wp\/v2\/categories?post=325"},{"taxonomy":"audience","embeddable":true,"href":"https:\/\/mitchellhamline.edu\/policies\/wp-json\/wp\/v2\/audience?post=325"},{"taxonomy":"alpha","embeddable":true,"href":"https:\/\/mitchellhamline.edu\/policies\/wp-json\/wp\/v2\/alpha?post=325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}