Third Party Policy

Effective Date:        05/14/2015
Implements:             Audit Report 14-52, Audit Finding #2 Cloud Computing Policy
Document Title:      Third Party Policy.docx
Author:                      Kal Shenoy, Interim Assistant Vice President of Information Technology Services (ITS)
File Location:           ITS

Overview
The CSUB Third Party Policy provides direction and support for managing third party relationships.

Third Party Policy
When a campus entity is engaging a third party for a product and/or service to use on-campus or in the cloud (i.e., hosting of infrastructure, platform, software, multiple services or data stored in a data center), the third party and their product and/or service must be compliant with applicable laws, regulations, as well as CSU and campus policies and standards.

All campus entities engaging a third party must have a campus risk assessment conducted for the product and/or service to be provided. All third party products and/or services approved after risk assessment must further be safeguarded by a University contract.

Moreover, third parties and any of their subcontractors with whom it is authorized to share University data cannot use, process, store, and/or transmit University confidential data in a way that violates laws, regulations, as well as CSU and campus policies and standards.

Acknowledgement
A special thank you to the Information Security Work Group who is responsible for assisting the University Information Security Officer with developing and issuing information security policies, procedures and standards to the campus community. The ISWG includes Kal Shenoy, Sue Rivera, Chris Diniz, Mike Fleming, Joe Nailor, Kenton Miller, Tem Moore, Brian Chen, and Don David. In addition, a special thank you to Frank Yap, Contracts Administrator from Procurement, who assisted with the collaboration process between Procurement and ITS.