Third-Party Vendor Risk Management

Purpose

This policy outlines the requirements for assessing and managing third-party vendor relationships to mitigate risks, safeguard sensitive information, and maintain a strong institutional security posture. St. Mary’s University is committed to:

• Ensuring third-party vendors meet university standards for privacy, security, and compliance.
• Conducting appropriate due diligence before granting vendors access to sensitive or protected institutional data.
• Requiring necessary legal agreements and security assessments based on the data classification involved.
• Involving the Information Services division in vendor-related decisions involving university data or data systems.
• Monitoring vendors for ongoing compliance, incident response readiness, and risk management.

Through clearly defined responsibilities and scalable assessments, the university aims to enhance vendor oversight and reduce the likelihood of regulatory violations.

Scope

St. Mary’s University values strategic partnerships with third-party vendors that support the mission and long-term goals of the institution. We prioritize the following principles when establishing vendor relationships:

• Preference for a smaller number of reliable, responsive, and higher education-aware vendors.
• Engagements with vendors who assign dedicated representatives familiar with the unique needs and resource limitations of higher education institutions.
• Cost efficiency is important, but not prioritized above quality of service, security, and compliance.
• When available, we may leverage higher education consortium agreements (e.g., E&I, HESS, Texas DIR).
• Institutional purchasing will be in accordance with the Procurement of Goods and Services policy.
• Vendor accounts should be established under secure portals with unique, traceable identifiers.
• St. Mary’s reserves the right to challenge vendor pricing when significant deviations from historical pricing are observed.
• All contracts involving technology—such as hardware, software, system integrations, cloud services or any service involving institutional data—must be reviewed and approved by the Office of Information Services prior to execution.

This policy applies to third-party vendors who store, process, transmit, or have access to university data, systems, or information resources. Vendors providing only goods or services without access to sensitive institutional data or systems (e.g., construction vendors, facilities maintenance) are outside the scope of this policy unless otherwise specified in a contract.

Vendor Risk Classification & Assessment

As part of its ongoing due diligence, St. Mary’s will conduct a risk assessment of its third-party relationships commensurate with the level of risk, including compliance and regulatory risks. Prior to establishing a contractual relationship with a vendor, St. Mary’s units must identify the data that will be shared with or accessed by the vendor and the appropriate data classification.

Risk Tier	Vendor Characteristics
Low	Vendors with no access to institutional data or only interact with publicly available data. Minimal or no integration with university systems.
Moderate	Vendors with access to moderately sensitive data such as FERPA-protected records or internal-use-only information. Integration may exist but does not involve core systems.
High	Vendors that handle or access personally identifiable information (PII), manage large datasets, or integrate deeply with institutional systems and processes.
Critical	Vendors that access or process highly sensitive data such as PHI or PCI or provide services essential to the university’s core operations (e.g., financial systems, medical platforms).

Security and Privacy Requirements

Statement of Work (SOW)

If applicable, Statements of Work must clearly outline the vendor’s responsibilities with respect to information security and data protection.

Security Reviews and Documentation

Information Services must review contracts involving hardware, software or cloud-based services and applications for compliance with university cybersecurity standards. Vendors are required to submit relevant documentation, which may include:

• Higher Education Community Vendor Assessment Toolkit (HECVAT)
• System and Organization Controls (SOC) Reports
• Information Security and Privacy Policies
• Business Continuity/Disaster Recovery Plans
• Incident Response Plan
• Regulatory compliance documentation (FERPA, HIPAA, PCI DSS, CJIS, GLBA, etc.)
• List of subcontractors and associated services, including data access details

Vendors must not be granted access to university systems, data, or information resources until a security review has been conducted by Information Services and appropriate security documentation has been submitted and approved.

Data Residency and Handling

• Vendors shall ensure that all institutional data remains within the continental United States or Canada. Data storage or processing in foreign jurisdictions is strictly prohibited unless explicitly authorized in writing and documented within the contract.
• The SOW must explicitly identify regulated or confidential data exchanged, as defined by the university data classification.
• All regulated or confidential data must be encrypted both in transit and at rest.

Minimum Security Standards

All vendors must maintain minimum security controls, including but not limited to:

• Multi-factor authentication (MFA) for administrative access
• Regular patching of systems
• Endpoint protection
• Data encryption in transit and at rest

PCI DSS and Credit Card Transactions

Vendors involved in the collection or processing of payment card data must be compliant with the Payment Card Industry Data Security Standard (PCI DSS).

Data Disposal

Contracts must stipulate that, upon termination, vendors will securely return or destroy all institutional data in accordance with university policy and within a timeframe defined in the agreement.

Contractual Requirements

Scope and Terms

Contracts and SOWs must clearly describe the scope of services, deliverables, and service timelines.

Contractual Language for Data Security

Contracts involving access to or exchange of sensitive data must:

• Include confidentiality and security provisions.
• Reference relevant St. Mary’s University policies.
• Define breach notification responsibilities.
• Include clauses that hold the vendor responsible for securing data regardless of ownership.
• Include provision for data disposal – destruction termination.

General Contract Requirements

• Whenever possible reflect the area of jurisdiction as Bexar County, Texas.
• Automatic contract renewals should be avoided.

Note:
These general requirements (jurisdiction, renewal terms) apply to all university contracts, including those unrelated to information services.

Incident and Breach Notification

Vendors must:

• Notify St. Mary’s Information Security Office of any suspected or confirmed data breach within 24 hours.
• Cooperate fully in remediation and investigation efforts.

Enforcement and Penalties

Contracts must include enforceable penalties or sanctions for non-compliance with security, data protection requirements and service availability.

Vendor Oversight and Policy Compliance

Policy Adherence

All vendors must comply with or exceed applicable St. Mary’s University information security policies and standards.

Roles and Responsibilities

Departments and contract owners are responsible for identifying when this policy applies and ensuring appropriate vendor compliance. Information Services will support this process by reviewing security documentation, vetting vendors for data protection standards, and assisting departments with vendor onboarding and compliance evaluations. Only University leadership, authorized by the Board of Trustees, may sign contracts.

Ongoing Maintenance and Renewals

Departments must ensure that contract renewals include updated language to reflect current security requirements.

Communication and Monitoring

• Contract owners must provide vendors with updated contact information for reporting security concerns.
• Vendors may be subject to operational audits, evidence of penetration testing, or documentation reviews.

Annual Documentation Review

Vendors handling regulated or confidential data must annually provide updated documentation as outlined in the Security and Privacy Requirements section.

Vendors whose services no longer involve sensitive data may, with approval from Information Services, reduce or discontinue the annual documentation requirement.

Risk Reporting

Vendor reports must address five key risk areas:

1. Unauthorized Access
2. Data Compromise
3. Data Integrity Loss
4. Service Disruption
5. Exception Events

All exceptions must be reported and reviewed by the University’s Information Services Department.

Information Services may consult with the Data Governance Committee, where appropriate, to ensure alignment with institutional data protection and governance standards.

Termination and Offboarding

Upon service termination:

• Departments must coordinate with Information Services the retrieval of a secure copy of the data shared with the vendor.
• Vendors must return and securely destroy all University data.
• Proof of destruction must be submitted to the University.
• Contract owners must coordinate immediate revocation of vendor access to systems and facilities.

Exclusions

Exclusions or Special Circumstances Exceptions to this Policy shall only be allowed if approved by the Chief Information Officer and the Chief Financial Officer, and this approval must be documented, saved, and monitored.

Enforcement

Any employee, contractor, or third-party vendor acting on behalf of St. Mary’s University who becomes aware of a suspected or actual violation of this policy must report the matter to the Office of Information Security as soon as possible.

Violations of this policy may result in consequences including, but not limited to:

• Suspension or revocation of access to university information systems and resources.
• Disciplinary action in accordance with university policies and procedures, up to and including termination of employment or contractual agreements.
• Referral for legal action where applicable.

The University reserves the right to pursue appropriate remedies to mitigate risk and protect institutional data and operations. Repeated or willful non-compliance by vendors may result in removal from the University’s approved vendor list.

Definitions

Annual Review:
A yearly reassessment of vendors, especially those handling regulated or confidential data, to verify that their practices remain in compliance with university standards and legal requirements.

Breach Notification:
The obligation of a vendor to inform the University of any confirmed or suspected unauthorized access, disclosure, or loss of sensitive data within a defined timeframe (typically within 24 hours).

CJIS – Criminal Justice Information Services:
A division of the FBI that manages the nation’s criminal justice information systems. CJIS security standards govern the access, use, and transmission of criminal justice information and must be followed by any organization handling such data, including higher education institutions partnering with law enforcement.

Contract:
A legally binding agreement between St. Mary’s University and a third party that defines the scope, terms, obligations, and expectations for services or products provided.

Contract Owner:

A university employee responsible for managing the vendor relationship, including monitoring compliance and coordinating renewals and terminations.

Data Classification:

• Low Sensitivity: Data that, if disclosed, altered, or destroyed without authorization, would cause minimal or no harm to the institution, individuals, or third parties. This data is typically intended for public disclosure and does not require special protection. (e.g., publicly available university directory information, campus marketing materials, job postings, course catalogs)
• Moderate Sensitivity: Data that, if compromised, could result in limited harm to the institution or individuals, such as reputational damage or minor legal consequences. This data is not public but does not contain sensitive personally identifiable information (PII) or regulated content. (e.g., Internal procedural documents, university policies under revision, non-sensitive email communications, university ID numbers without other identifiers)
• High Sensitivity: Data that, if disclosed or tampered with, could cause serious harm, including financial loss, legal liability, or significant operational disruption. Access to this data should be restricted to authorized personnel with a legitimate business need. (e.g., Student academic records (FERPA-protected), human resources data (excluding sensitive PII), login credentials and internal system configurations, non-public financial data)
• Critical Sensitivity: Data that, if exposed, stolen, or manipulated, could lead to catastrophic harm to the institution or individuals, including regulatory penalties, identity theft, or severe financial and reputational damage. This data is strictly controlled, and its handling requires the highest level of protection and monitoring. (e.g., Social Security Numbers, passport numbers, health information (HIPAA-protected), payment card data (PCI DSS scope), Legal documents related to active litigation (CJIS), credentials granting privileged access to core systems (e.g., domain admin accounts))

Encryption:
The process of converting information into a secure format to prevent unauthorized access. University policy requires encryption for sensitive data in transit and at rest.

FERPA – Family Educational Rights and Privacy Act:
A federal law that protects the privacy of student education records. It grants students the right to access and request the amendment of their records, and limits disclosure of information without the student’s consent. Applies to all educational institutions receiving federal funding.

GLBA – Gramm-Leach-Bliley Act:
A federal law requiring financial institutions—including higher education institutions that provide financial aid—to protect the privacy and security of consumers’ non-public personal information (NPI). It mandates risk assessments, safeguard policies, and vendor oversight.

Incident Response Plan:
A documented strategy detailing how a vendor will detect, respond to, and recover from cybersecurity incidents or data breaches.

HIPAA – Health Insurance Portability and Accountability Act:
A federal law that establishes national standards to protect individuals’ medical records and other personal health information. It applies to healthcare providers, health plans, and business associates who handle protected health information (PHI).

Information Security Review:
The formal evaluation conducted by the Office of Information Services to assess the adequacy of a vendor’s security controls and documentation prior to contract approval.

PCI DSS – Payment Card Industry Data Security Standard:
A set of security standards designed to ensure that all organizations that process, store, or transmit credit card information maintain a secure environment. Required for any entity that handles payment card data.

Regulated Data:
Data protected under federal or state regulations such as FERPA, HIPAA, PCI DSS, CJIS, GLBA, or other privacy/security laws.

Security Documentation:
Formal materials provided by a vendor to demonstrate compliance with security requirements, including HECVATs, SOC reports, incident response plans, data protection policies, and regulatory certifications.

Statement of Work (SOW):
A formal document that outlines specific deliverables, responsibilities, timelines, and performance expectations under a contract.

Subprocessor (Subcontractor):
Any third party engaged by the vendor to fulfill obligations or provide services on their behalf. All subprocessors with access to university data must be disclosed and subject to the same security requirements.

Third-Party Vendor:
An external entity, organization, or individual that provides goods, services, software, hardware, or data processing capabilities to the University under contract or agreement.

Vendor Risk Tier:
A classification assigned to vendors based on the type of data handled, system access, and criticality to university operations. Tiers help determine the depth of review and monitoring required.

Vendor Security Assessment:
A formal review process conducted by Information Security to evaluate the vendor’s security posture, compliance status, and data protection capabilities prior to engagement or contract renewal.