Date: Thu, 28 Mar 2024 15:23:58 -0400 (EDT)
Message-ID: <1351884881.163.1711653838184@wikis.suffolk.edu>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_162_2124702159.1711653838183"
------=_Part_162_2124702159.1711653838183
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
Objecti=
ve
The purpose of the University Vendor Poli=
cy is to establish requirements for the selection and approval of third-par=
ty service providers.
Applicability
The Suffolk University Vendor Policy appl=
ies to any third-party service provider that creates, uses or otherwise acc=
esses or interacts with any University Information and/or University Inform=
ation Resources.
Definitions
Confidential Information: Thi=
s information consists of University Information which falls into one of th=
e following categories:
-
- Massachusetts Personal Information (as defined herein)
- Financial Customer Information (as defined herein)
- Records and information the University, or any of its employees o=
r units, is required by law to keep confidential, including but not limited=
to the following:
- Personally identifiable information about students of the Univers=
ity, other than =E2=80=9Cdirectory information,=E2=80=9D contained in =E2=
=80=9CEducation Records,=E2=80=9D i.e. records =E2=80=9Cdirectly related to=
a student=E2=80=9D, to the extent protected by the federal law known as th=
e Family Educational Rights and Privacy Act or =E2=80=9CFERPA=E2=80=9D
- Records pertaining to individuals receiving health care related s=
ervices from any Massachusetts licensed clinic operated by the University, =
to the extent they are considered confidential under Massachusetts law.
- Information considered privileged under Massachusetts law, includ=
ing but not limited to information consisting of or relating to communicati=
ons between an individual and an employee of the University acting in their=
professional capacity as a licensed psychotherapist, psychologist, mental =
health counselor, or sexual assault counselors.
- Information the University is required by contract, or by Univers=
ity policy, to keep confidential
- Other highly sensitive personal information about an individual t=
he disclosure of which could foreseeably result in identity theft, financia=
l fraud, damage to reputation, or acute embarrassment, or other significant=
harm to the individual. Examples of such information include: informa=
tion about a person=E2=80=99s medical condition or physical or mental healt=
h; or personnel or employee payroll records.
- Other University Information that is proprietary to the Universit=
y and that the University has a strong financial, strategic, or competitive=
interest in keeping confidential, or that the University is expected to ke=
ep confidential under applicable ethical norms. Examples of such informatio=
n include: trade secret information, proprietary information relating to in=
ventions or patents, research data, or personal information about volunteer=
research subjects collected in the course of human subject research.
Security Incident: any event that =
is known or suspected to cause Confidential Information to be accessed or u=
sed by an unauthorized person, and shall include any incident in which the =
University is required to make a notification under applicable law.
University Information: any in=
formation in any form whether electronic, hardcopy, audial, or otherwise wh=
ich is created, collected, stored, accessed or used in connection with the =
operation and/or management of the University, or which is created, collect=
ed, stored, accessed or used by a party authorized by the University.
University Information Resource: any tool, device, equipment, or system used to create, collect, record, =
process, store, retrieve, display and transmit University Information, incl=
uding but not limited to email, mainframes, servers, computers, laptops, pe=
rsonal digital assistants (PDA), telecommunication resources, fax machines,=
printers, file cabinets, software and embedded technology.
Policy
- Any Suffolk University faculty or staff member seeking to engage a thir=
d-party service provider who will access, handle or otherwise interact with=
Suffolk University Information, to the extent necessary will be required t=
o follow IT Governance and be reviewed for accessibility, data security and=
privacy, contract language by the appropriate department. Also, the review=
of third-party=E2=80=99s ability to comply, implement and maintain measure=
s and standards consistent with University policy, industry standards, and =
applicable law.
- All third-party service providers must comply with the WISP and all oth=
er applicable U=
niversity policies.
- All third-party =
service providers that will access, handle or otherwise interact with=E2=80=
=AFConfidential Information must be required by contract to implement and m=
aintain data security and data privacy measures consistent with University =
policy, industry standards, and applicable law to safeguard Confidential In=
formation.
- Upon termination of contract or at the request of University, the third=
-party service provider must surrender all University Information, identifi=
cation badges, access cards, equipment and supplies immediately.
- All third-party service providers must report any actual or suspected S=
ecurity Incidents directly to their University point of contact and Informa=
tion Security Officer (i=
nfosecurity@suffolk.edu)
Violation of Policy
The University reserves the right to moni=
tor network traffic, perform random audits, and to take other steps to insu=
re the integrity of its information and compliance with this Policy. Violat=
ions of this Policy may lead to appropriate disciplinary action, which may =
include temporary or permanent restrictions on access to certain informatio=
n or networks. Willful or repeated violations of this Policy may result in =
dismissal from the University.
Revision History
Version |
Date |
Responsible University Office |
Approved By |
1.0 |
09/14/10 |
Provost Office |
Provost Barry Brown |
1.1 |
02/12/13 |
Senior VP of Finance and Administration and T=
reasurer Office |
Senior VP Danielle Manning |
1.2 |
06/05/23&n=
bsp; |
Information Security=
Office Revisi=
on: Updated required review of vendo=
r third-party ability=
span> to meet university standards, =
governance process, and return of informati=
on |
CISO Paul Guarino |
------=_Part_162_2124702159.1711653838183--