Vendor Management Policy

General Principles

Macalester Preferences

1. A smaller number of proven vendors who are responsive, thoughtful.
2. Vendors that have a representative assigned to the College who understands the mission, challenges and limitations of higher education.
3. Long-term relationships.
4. Pursuit of the lowest price is not paramount.
5. When available, the use of consortia agreements: MHEC, ACTC, MnSCU, MHETA, HESS.
6. P-Card payments are preferred over use of Purchase Orders.
7. Unique customer numbers/accounts with each vendor managed through a secure website.
8. Macalester will challenge prices from vendors when prices deviate significantly and consistently from past patterns.
9. IT Contracts are generally centralized into the ITS Department for better cost control, efficiency, management, support.

Policy and Security Elements

Security Requirements

1. A Statement of Work (SOW) must clearly state the security requirements for the vendors to ensure that their work is consistent with College cyber security requirements.
2. In general, contracts for software and other services delivered from cloud vendors are reviewed by the Information Security Officer for security compliance.
3. Vendors must supply security documentation for review. This includes but is not limited to:
   • Higher Education Community Vendor Assessment Toolkit (HECVAT) questionnaire
   • SOC Report(s)
   • Information Security Plan
   • Incident Response Plan
   • Disaster Recovery Plan
   • Privacy Policy
   • Security documentation that outlines business practices.
   • When applicable, regulatory compliance (FERPA, HIPAA, PCI, etc.) documentation
4. All third parties acting on behalf of the vendor in order to provide service will be listed along with the service(s) being provided. Access to Macalester data must be explicitly noted in the SOW.
5. All data residing in vendor systems will remain in the United States, unless otherwise agreed to in contract.
6. SOWs must clearly identify any and all types of sensitive data to be exchanged and managed by the vendor. Sensitive data is defined as either regulated or confidential by the Data Classification Policy.
7. All regulated or confidential data transmitted or residing in vendor systems must be encrypted at all times, unless otherwise agreed to in contract.
8. Systems that collect and/or process credit card data will be required to comply with Payment Card Industry Data Security Standard (PCI DSS) and Macalester’s Safe Credit Card Handling Policy.
9. Upon the dissolution of contract agreement, all data will be securely erased within the timeframe specified in contract.

Contracts

Scope

Statement of Works must include a clear description of the scope of services provided under the contract or purchase order.

Contract Language

Contracts that include exchange of sensitive data must require state confidentiality agreements to be executed by the vendor, must identify applicable state policies and procedures to which the vendor is subjected, and must identify security incident reporting requirements.

Reporting Requirements

Contracts must clearly identify security reporting requirements that stipulate that the vendor is responsible for maintaining the security of sensitive data, regardless of ownership.  In event of a breach of the security of the sensitive data, the vendor is responsible for immediately notifying Macalester College and Information Technology Services and working with the both regarding recovery and remediation. Security reporting requirements in the contract must also require the vendor to report all suspected loss or compromise of sensitive data exchanged pursuant to the contract within 24 hours of the suspected loss or compromise.

Breach Notification

The vendor is responsible for notifying all persons whose sensitive data may have been compromised as a result of the breach as required by law.

Sanctions

Contracts must include formal sanctions or penalties for failure to meet the security requirements in the contract or purchase document.

Management and Oversight

Policy Compliance

Vendors are required to comply with all the applicable Macalester College Information Security Policies, as published and updated by the Office of Cyber Security.

Contract Maintenance

Departments that have implemented contracts shall ensure all contracts being renewed are updated with provisions supporting the requirements of this policy.

Reporting and Monitoring

Communications

Departments shall provide the appropriate security reporting contact information to each vendor upon contract initiation, along with any reporting instruction specific to the respective public agency.

Inspection

Macalester College shall have the ability to inspect and review vendor operations for potential risks to operations or data. This review may include a planned and unplanned physical site inspection, technical vulnerabilities testing, and an inspection of documentation, such as security test results, IT audits, and disaster recovery plans.

Annual Review

Vendors that handle regulated or confidential information will send Macalester updated information as outlined in the Security Requirements section of this policy on an annual basis for review.

Risk Reporting

All contracts shall require the vendor to produce regular reports focusing on five primary potential risk areas:

• Unauthorized Systems Access
• Compromised Data
• Loss of Data Integrity
• Inability to Transmit or Process Data
• Exception Reporting

Any exceptions from normal activity are to be noted in the reports, reviewed, and the appropriate responses determined.

Termination of Service

Upon termination of vendor services, contracts must require the return or secure destruction of all Macalester College data. Verification from the vendor is required to ensure contract obligations are fulfilled. Procurement and contract managers are to immediately ensure termination of all access to College information systems and, if applicable, facilities housing these systems.