| Policy Title | Vendor Access to IT Resources Policy |
| Type or category of Policy: | University Policy |
| Approval Authority: | Chief Information Officer |
| Responsible Executive: | Chief Information Officer |
| Responsible Office: | Information Technology Services |
| Owner Contact: | Information Security Administrator Informationsecurity@siena.edu |
| Reviewed By: | Information Security Committee |
| Reviewed Date: | October 7, 2015 |
| Last Revised and Effective Date of Revision: | October 7, 2015 |
Reason for Policy
The purpose of this policy is to define standards for vendors accessing resources on Siena University’s network. These standards are designed to minimize the potential exposure to Siena University from damages which may result from unauthorized use of Siena University resources. Damages include but not limited to the loss and/or breach of sensitive or confidential data, intellectual property, damage to public image, and/or damage to critical Siena University systems.
Scope of the Policy
This policy applies to all Siena University vendors, contractors, subcontractors, volunteers, visitors or agents herein referred to as “third parties” with a Siena University owned or personally owned device used to connect to the Siena University network. This policy applies to any connections used to perform work on behalf of Siena University.
Siena University increasingly continues to depend on the security and integrity of the computer network, servers, and workstations. It is important that the University be proactive in its approach about identifying and enforcing security standards.
The Official Policy
To assist and support Siena University in its mission, third parties may need access onsite or via remote to the systems of Siena University for maintenance and/or emergency support. These systems may cover hardware and/or software management with the ability to view, copy, and make modifications to the systems and data.
It is the responsibility of third parties with access to Siena University resources that due care is ensured to properly secure Siena CollUniversityege systems, and at all times, comply with FERPA, GLBA, HIPAA and other applicable federal and state privacy statutes.
The third parties agree that they will protect the Confidential Information they receive according to commercially acceptable standards and no less rigorously than they protect their own Confidential Information. Specifically, third parties shall implement, maintain, and use appropriate administrative, technical, and physical security measures to preserve the confidentiality, integrity, and availability of all electronically managed Confidential Information.
All parties are subject to all Siena University policies.
The access should be activated on an as-needed basis and disabled when not in use. Third party access is temporary and shall be reviewed on an annual regular basis if access is required for more than one year.
All third party access to network systems must be approved by the Information Security Officer or designee.
Exceptions
Exceptions can be granted in limited circumstances by the Chief Information Officer based upon the needs of the University and upon the requestor’s written justification, which has been reviewed and approved by the University’s Risk Officer.
Adopted: October 7, 2015