General Principles

Macalester Preferences

  1. A smaller number of proven vendors who are responsive, thoughtful.

  2. Vendors that have a representative assigned to the College who understands the mission, challenges and limitations of higher education.

  3. Long-term relationships.

  4. Pursuit of the lowest price is not paramount.

  5. When available, the use of consortia agreements:  MHEC, ACTC, MnSCU, MHETA.

  6. P-Card payments are preferred over use of Purchase Orders.

  7. Unique customer numbers/accounts with each vendor managed through a password protected, access control authentication system.

  8. Macalester will challenge prices from vendors when prices deviate significantly and consistently from past patterns.

  9. IT Contracts are generally centralized into the ITS Department for better cost control, efficiency, management, support.

Policy and Security Elements

Security Requirements

  1. A Statement of Work (SOW) must clearly state the security requirements for the vendors to ensure that their work is consistent with College cyber security requirements.

  2. In general, contracts for software and other services delivered from cloud vendors are reviewed by the Information Security Officer for security compliance.

  3. An Activation Key is never recorded within inventory listing.

Scope

Statement of Works must include a clear description of the scope of services provided under the contract or purchase order.

Data Classification

Statement of Works must clearly identify any and all types of sensitive data to be exchanged and managed by the vendor.  Sensitive data is defined as either regulated or confidential by the Data Classification Policy.

Security Documentation Deliverables

Statement of Works and contracts must contain a documented System Security Plan which describes all existing and planned security controls.  Approval of Cloud Computing contracts will depend on compliance with the Macalester Cloud Computing Checklist (addendum).

Contracts

Contract Language

Contracts that include exchange of sensitive data must require state confidentiality agreements to be executed by the vendor, must identify applicable state policies and procedures to which the vendor is subjected, and must identify security incident reporting requirements.

Reporting Requirements

Contracts must clearly identify security reporting requirements that stipulate that the vendor is responsible for maintaining the security of sensitive data, regardless of ownership.  In event of a breach of the security of the sensitive data, the vendor is responsible for immediately notifying Macalester College and Information Technology Services and working with the both regarding recovery and remediation.  Security reporting requirements in the contract must also require the vendor to report all suspected loss or compromise of sensitive data exchanged pursuant to the contract within 24 hours of the suspected loss or compromise.

Breach Notification

The vendor is responsible for notifying all persons whose sensitive data may have been compromised as a result of the breach as required by law.

Sanctions

Contracts must include formal sanctions or penalties for failure to meet the security requirements in the contract or purchase document.

Management and Oversight

Policy Compliance

Vendors are required to comply with all the applicable Macalester College Information Security Policies, as published and updated by the Office of Cyber Security.  

Contract Maintenance

Departments that have implemented contracts shall ensure all contracts being renewed are updated with provisions supporting the requirements of this policy.

Reporting and Monitoring

Communications

Departments shall provide the appropriate security reporting contact information to each vendor upon contract initiation, along with any reporting instruction specific to the respective public agency.

Inspection and Review

Macalester College shall have the ability to inspect and review vendor operations for potential risks to operations or data.  This review may include a planned and unplanned physical site inspection, technical vulnerabilities testing, and an inspection of documentation, such as security test results, IT audits, and disaster recovery plans.

Risk Reporting

All contracts shall require the vendor to produce regular reports focusing on four primary potential risk areas:

  • Unauthorized Systems Access
  • Compromised Data
  • Loss of Data Integrity
  • Inability to Transmit or Process Data
  • Exception Reporting

Any exceptions from normal activity are to be noted in the reports, reviewed, and the appropriate responses determined.

Termination of Service

Upon termination of vendor services, contracts must require the return or destruction of all Macalester College data in accordance with Access Control Policy.  Procurement and contract managers are to immediately ensure termination of all access to College information systems and, if applicable, facilities housing these systems.