1. Policy Statement

Quincy College is committed to safeguarding its information systems, sensitive data, and the privacy of its stakeholders. To this end, the College will establish and maintain a comprehensive Third-Party Vendor Management Policy to ensure all third-party interactions and services comply with regulatory standards and internal security requirements.

2. Objectives

  • Ensure a formalized, defined, and circulated Third-Party Vendor Management Policy.
  • Maintain an inventory of all service providers.
  • Mitigate risks associated with third-party interactions, including unauthorized access, non-compliance with regulations, and security breaches.

3. Scope

This policy applies to all third-party vendors, contractors, consultants, and any other external entities that provide services to Quincy College.

4. Roles and Responsibilities

  • President: Provides overall oversight and ensures that the policy aligns with the college's mission and strategic goals.
  • Executive Vice President: Assists the President in overseeing policy implementation and ensuring inter-departmental coordination.
  • Vice President of Mission Support: Leads the policy implementation team, coordinates efforts, and ensures compliance with policy requirements.
  • Vice President of Finance: Ensures that financial aspects of vendor management, including budget considerations and financial risks, are managed effectively.
  • IT Manager: Manages the technical aspects of third-party interactions, including the assessment of vendor security measures and integration with college systems.
  • IT Analyst: Supports the IT Manager in conducting security assessments, monitoring vendor activities, and ensuring technical compliance.
  • Capital Resources & Building and Operations Manager: Ensures that physical and operational aspects of vendor management are addressed, particularly in areas related to campus facilities and infrastructure.

5. Vendor Selection and Evaluation

  • Conduct a thorough assessment of potential vendors, including background checks, security posture evaluations, and financial stability assessments.
  • Evaluate vendors based on their ability to meet Quincy College's security and compliance requirements.
  • Document the selection process and maintain records of all evaluations.

6. Contractual Agreements

  • Ensure all contracts with third-party vendors include specific clauses related to data security, compliance with regulations, and the right to audit.
  • Contracts must specify the responsibilities of both parties, including data protection measures, incident response procedures, and termination conditions.

7. Inventory Management

  • Maintain an up-to-date inventory of all third-party vendors, including contact information, services provided, and the level of access granted.
  • Regularly review and update the inventory to reflect any changes in vendor relationships.

8. Access Control

  • Limit third-party vendor access to only the necessary systems and data required to perform their services.
  • Implement strict access controls, including multi-factor authentication and regular access reviews.

9. Monitoring and Auditing

  • Conduct regular audits of third-party vendors to ensure compliance with contractual agreements and the Third-Party Vendor Management Policy.
  • Monitor vendor activities for any signs of non-compliance or security breaches.

10. Incident Response

  • Establish procedures for responding to security incidents involving third-party vendors.
  • Ensure vendors are aware of their responsibilities in the event of an incident, including timely reporting and cooperation with Quincy College's incident response team.

11. Training and Awareness

  • Provide training for all stakeholders involved in third-party vendor management, including the IT Manager, IT Analyst, and department heads.
  • Regularly update training materials to reflect changes in the policy and regulatory requirements.

12. Review and Updates

  • Conduct an annual review of the Third-Party Vendor Management Policy to ensure it remains current and effective.
  • Update the policy as necessary to address emerging threats, changes in regulatory requirements, and lessons learned from incidents.

Original: July 2024