Process for Vendor/Third-Party Information Security Assessment

This assessment process covers instances when Ithaca College is considering new or renewed contracts permitting service providers or other partners to store, process, or have access to non-public data. This covers cases where the partner would handle data the college already has and cases where a partner may collect data on behalf of the college. Ithaca College requires such partners to exercise appropriate information security controls.

The security and privacy practices of Ithaca College contract partners are evaluated as part of the college’s contract review process. Requirements and scrutiny of security and privacy practices are proportional to the nature and quantity of data stored or processed by each partner and the potential that a compromise  of each partners’ systems or accounts could lead to compromise of other systems or data managed or used by the college.

Goals of the Security Assessment Process:

  • To ensure review of partners’ security practices is completed by qualified IC personnel.
  • To Identify the types and quantities of data involved and any access to IC systems that would be required.
  • To ensure partners’ security programs and processes are sufficient to meet regulatory requirements and reduce information security related risk to levels acceptable to the college.

Data and Access Covered by this Process

  • Data types covered by this process are all Non-Public Data, meaning all data for which there is some confidentiality requirement, whether regulatory, contractual, or other. Whether or not data is actually intended to be published does not define it as Public or Non-Public Data for purposes of this process. 
  • Access covered by this process is any access to systems and data not intended to be open to the world without a need to log in.

Roles of College Personnel and External Partners:

Owner’s Role in the Security Assessment Process

Ithaca College divisions, departments, and individual personnel initiating negotiation of any contracts (“owners”) involving Data or Access covered by this Process should share links to this page with the prospective partner early on, as part of an initial screening process. Owners should obtain a partner’s Requested Security Assessment Documentation and provide it to the IT Office in the early phases of exploring the business relationship and no later than the initiation of the contract review process.  The results of the review may take up to two weeks (including follow-up queries to the partner) and may then prolong the results of the overall contract review. Obtaining the Requested Security Assessment Documentation and consulting with IT in advance of the contract review process may also avoid an unnecessary contract review and give the owner time to consider alternative suppliers.

Partners’ Requested Security Assessment Documentation:

Partners’ Use of Ithaca College Single Sign-On/SAML:

Ithaca College generally requires that partners who will provide our students, faculty, staff, or other IC users with access to their systems use federated identity through our Microsoft Azure AD Single Sign-On, which relies on SAML authentication. Information for suppliers is available on the Single Sign-On Information Page. Exceptions may be made for this, mostly in cases where only a small number of IC users will be granted access.

Other Related Parts of the Contract Review Process: