The University of Texas at San Antonio
Office of Information Technology
Office of Information Security (OIS) Standards
OIS 36 – Standard for Vendor and Third Party Controls and Compliance
I. STANDARD STATEMENT
This standard applies to all persons or companies with whom UTSA enters into contracts to provide services involving Information Resources and to those in the UTSA organization who sponsor a vendor or consultant.
This standard supports HOP Policy 8-12 Information Resources Use and Security Policy.
This standard applies to all UTSA faculty, staff, and students.
If you have any questions about OIS 36 – Standard for Vendor and Third Party Controls and Compliance contact the following office:
The Office of Information Security
- The University of Texas at San Antonio (UTSA) recognizes that Vendors and other contractors serve an important function in the development and/or support of services, hardware, and software and, in some cases, the operation of computer networks, Servers, and/or applications. This standard applies to contracts entered into by UTSA that involves third-party access to or creation of Information Resources or University Data by a third-party.
- hold all confidential data in the strictest confidence;
- not release any confidential data unless the vendor obtains UTSA’s prior written approval and performs such a release in full compliance with all applicable privacy laws, including the Family Educational Rights and Privacy Act (FERPA);
- not otherwise use or disclose confidential data except as required or permitted by law;
- safeguard data according to all commercially reasonable administrative, physical, and technical Standards (e.g., such Standards established by the National Institute of Standards and Technology – NIST or the Center for Internet Security);
- continually monitor its operations and take any action necessary to assure the data is safeguarded in accordance with the terms of this standard, UTS165; and
- comply with the vendor access requirements that are set forth in this standard.
- written notice within one business day, or if the Data Owner, UTSA procurement officers, and the ISO are satisfied that a longer period is acceptable, within that period, after vendor’s or third-party’s discovery of such use or disclosure; and
- all Information UTSA requests concerning such unauthorized use or disclosure.
- continue to protect all data that it retains;
- agree to limit further uses and disclosures of such data to those purposes that make the return or destruction infeasible for as long as vendor or other third-party maintains such data; and
- to the extent possible, de-identify such data.
Effective Date: August 1, 2011
Last Revised: June 6, 2017