Purpose 

Georgetown University Information Services (UIS) has developed and implemented the Technology Vendor policy and procedures to ensure that all technology vendors are approved and authorized to operate in accordance with the technology review and approval process before employing its services or gaining access to University technology assets, data, systems, servers, and networks. Directed by the Chief Information Security Officer (CISO), these policies set the information security standards for any information technology vendor supplying hardware, software, and services for the operation of University business.   

Scope 

This policy applies to non-Georgetown technology service providers that provide service to the University in the form of hardware, software applications, platform as a service (PaaS), software as a service (SaaS), infrastructure as a service (IaaS), application subscriptions, and technology consultation, and staff augmentation where University data is shared, exchanged or transmitted.  

Policy 

Georgetown University has adopted the security audit and accountability principles established in NIST SP 800-53 “Risk Assessment” guidelines as the official policy for this security domain. Each departmental technology requisitioner, sponsor, administrator, steward and owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.

The University Information Security Office (UISO) must approve the use of third-party technology providers and systems which access, store or process any University data not classified as public data. Only authorized third-party service providers will be used to access, exchange, store, process or analyze university data, or to provide the university with critical operational technologies. Only Procurement Services is authorized to execute contracts with third-party technology providers for services, paid or free. 

Unauthorized and non-compliant 3rd-party solutions will be prevented from gaining access to University data, the network, or its systems until such time that designated security standards can be met.