Third Party Access Policy: I3
SPC receives requests for direct connections to its information technology resources from contractors, vendors and other third parties for support services, contract work or other remote access solutions for the College.
The purpose of this policy is to define standards for connecting to SPC information technology resources. These standards are designed to minimize the potential exposure to SPC from damages which may result from unauthorized use of SPC information technology resources. Damages include the loss of sensitive or confidential data, intellectual property, damage to public image, damage to critical SPC internal systems, etc.
The Third Party Access Policy pertains to all third party organizations and individuals that require access to non-public electronic resources maintained by SPC.
As a condition of gaining access to SPC information technology resources:
- Every third-party must sign an SPC Non-Disclosure Agreement.
- All third parties must be sponsored by an SPC department, organization or employee.
- All third-party access must be uniquely identifiable and password management must comply with the User Accounts Password Policy (IC) and IT Administrator/Special Access Policy (IS) guidelines.
- All third-party account holders must provide contact information that will be used to contact them in the event of account status changes, misuse, or termination of the agreement.
- All changes to access granted under this policy must originate from the SPC sponsor and are subject to a security review.
- Third parties must be made aware and must comply with all applicable SPC policies, practice standards, agreements and guidelines, including but not limited to:
- Acceptable Use Policy (ID)
- Encryption Policy (IK)
- Network Access Policy (IM)
- Portable Computing Policy (I1)
- Change Management Policy (IJ)
- SPC Information Security Program
- • Third-party agreements and contracts must specify:
- The SPC information to which the third party has access.
- How SPC information is to be protected by the third party.
- Acceptable methods for the return, destruction or disposal of SPC information in the third party’s possession at the end of the contract.
- Third parties must only use SPC information and information technology resources for the purpose of the business agreement.
- Any other SPC information acquired by the third party in the course of the contract cannot be used for the third party’s own purposes or divulged to others.
- Third-party personnel must report all security incidents immediately to the appropriate SPC sponsor and the Associate Dean for Information Services.
Any third-party account holder that violates this policy will have the account suspended and the account holder’s sponsor will be notified. Following a review, SPC will implement the actions specified by the Associate Dean for Information Services to reinstate or remove the account.
Related Policies, References and Attachments:
An index of approved SPC-IS policies can be found on the SPC Policies website at https://www.southplainscollege.edu/human_resources/policy_procedure/?%20. The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.
Approved by: Executive Council, September 24, 2018
Next Review: October 1, 2020