Technology Procedure Categories
Vendor management policy
This policy outlines the procedures involved with vendor management for those vendors which handle Covered Data as defined by the WSC Information Security Program. At the time of writing, this would include, but not be limited to: FERPA non-directory information and credit card information.
When Was This Policy Updated?
April 6, 2017
Who Should Read This Procedure?
WSC Staff involved with contracting, vendor management, implementation or data interfaces with applicable vendors.
- ISPC – Information Security Program Coordinator – defined in the WSC Information Security Program
- Business Service Owner – the department manager or administrator responsible for the service being provided through the vendor
- Covered Data – data defined as Covered Data by the WSC Information Security Program
- WSC Information Security Program
- NSCS Policy 3650
- NSCS Policy 7004
To provide guidance and procedures to employees working with vendors who have access to data defined by the WSC Information Security Program as Covered Data.
Business service owner
- Work with the ISPC to, request prior to implementation and no less than annually re-request information from the service vendor to acknowledge their role in protecting data.
- For vendors with access to FERPA data, this may be an e-mail acknowledging their understanding of their role in protecting data.
- For vendor with access to PCI data, this must take the form of:
- A matrix of PCI responsibilities as indicated by PCI requirement 12.8.5 and either:
- A snapshot of the provider registry on visa.com/splisting, or;
- A copy of an Attestation of Compliance.
- From date of this policy forward, maintain a list of service providers/vendors with access to Covered Data.
- Work with the VPAF to ensure that vendors acknowledge their responsibilities to protect data in any new contracts, and that any contracts up for revision be modified to provide the same.
Last Updated: 4/6/2017