201.3 3rd-Party Hardware Assets Guidelines
In support of UIS.201 IT Hardware Assets Management Policy
Georgetown University has adopted the security audit and accountability principles established in NIST SP 1800-5 “IT Asset Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.
Any technology hardware obtained from third parties, vendors, suppliers or partners for the purposes of University business must meet UIS minimum security requirements and abide by the applicable policies and guidelines associated with UIS vulnerability management, data privacy and handling and protection, and configuration management.
Third-party Hardware Assets Requirements
University Information Services (UIS) reserves the right to define, document, and audit how external hardware assets comply with information security controls and requirements.
UIS must monitor external service providers for security control compliance on an ongoing basis.
UIS restricts and monitors the location of information systems that receive, process, store, or transmit university data.
Third-party service providers must demonstrate compliance with University technology policies and applicable laws and regulations.
Agreements with Third-party suppliers for information systems must include the following for review with UIS and the Office of Procurement:
The course of action and remedy if the vendor’s security controls are inadequate such that the security, confidentiality, integrity or availability of the University’s data cannot be assured.
The vendor’s ability to provide an acceptable level of security, service and/or support during contingencies or disasters or failures.
To support service delivery, the third-party agreements must contain, or incorporate by reference, all the relevant security requirements necessary to ensure compliance with the University’s information security policies, standards, data retention schedules, and business continuity requirements.
Services, systems and products provided by third parties must be reviewed and checked, annually or at renewal of the service agreement or executed contract to ensure applicable updated security requirements are incorporated.
Contracts with vendors providing off-site hosting or cloud services must require the vendor to provide the University with an annual third-party risk assessment report to establish compliance with the University information security policies. The assessment must include, at a minimum, the following:
The rate of compliance with the enterprise-wide security standards;
An assessment of security organization, security practices, security information standards, network security architecture, and current expenditures of University funds for information technology security.
- Any changes to the technical services provided by a third party must be submitted to the UIS technology assessment teams prior to implementation.
- Service providers who store or share Tier 1 data (University restricted or confidential data) must adhere to a level of security outlined in the University Information Security Office (UISO) minimum security requirements.
- UIS must ensure that the SLA includes requirements for regular monitoring, review, and auditing of the service levels and security requirements as well as incident response and reporting requirements. The SLA must state how the service provider is responsible for data stored or shared with the provider.
- UIS performs monitoring, review, and auditing of services to monitor adherence to the SLA and to identify new vulnerabilities that may present an unreasonable risk.
- UIS enforces compliance with the SLA and must be proactive with third parties to mitigate risk to a reasonable level.
- Changes to an SLA and services provided must be controlled through formal change management that established in Change Management Guidelines.
- UIS prohibits the use of unauthorized and unapproved information systems, system components, or devices that receive, process, store, or transmit restricted and/or private data, unless explicitly approved by UISO.