Mar 10, 2025  
DMACC Policies and Procedures 
    
Catalog Navigation
  Catalog Home
  Policies and Procedures Search
  Policies by Type
  Procedures by Type
  Policies and Procedures by Department
  My Portfolio
HELP
DMACC Policies and Procedures
Facebook this Page (opens a new window)
Tweet this Page (opens a new window)
Add to Portfolio (opens a new window)

IS7055 - Third party & Outsourcing Security

Procedure

Section: INFORMATION SOLUTIONS PROCEDURES

SubSection: Information Security

Master List Section: Information Solutions

Purpose

The purpose of this procedure is to provide guidelines for establishing qualified third-party vendors with whom to do business and what requirements or regulations should be imposed upon their operational processes. This procedure supports the existing federal/state laws as they apply to third party vendors but shall not replace any potential changes in current or future compliance components levied against third-party vendors through statute, law, or contract.

Scope

All employees, whether full-time, part-time, contract workers, consultants, part-time staff, interns and temporary workers and other personnel are covered by this procedure. It also applies to all DMACC-owned equipment, employee-owned equipment used to conduct DMACC business or material related thereto.

Exceptions

There are no exceptions to this procedure except where permitted in writing by the DMACC IT and/or Purchasing departments.

Third Party Vendor Procedure Details

DMACC staff must select new third party vendors with established records of success and who comply with all applicable state/federal regulations and data privacy requirements. Third party vendors must adhere to DMACC policies, practice standards, and agreements.

References should be obtained to attest to the reliability and quality of service provided by the prospective third-party vendor.

Vendor Responsibilities

Third-party vendors must provide DMACC a contact individual (or individuals) for assessing internal controls to determine the effectiveness of services provided, the efficiency of operations and compliance with applicable laws and objectives. An assigned DMACC representative will collaborate with this contact individual(s) to ensure the vendor follows all state and federal laws as well as this procedure and conduct a full review.

Prospective vendors must provide explanations of security mechanisms (e.g., encryption, access controls, and security leakage prevention) and integrity controls for data exchanged to prevent improper disclosure, alteration, or destruction. They should also detail how they vet qualified individuals to properly handle customer data and outline technological or human-based methods for monitoring and alerting when security incidents or data breaches occur.

Vendor data privacy and information security procedures/protocols must meet DMACC requirements for storing data at rest or in transit, physically securing storage devices, and providing access only to authorized personnel. It must also sufficiently cover the return, destruction, or disposal of information in the vendor’s possession at the end of the agreement.

A DMACC representative will work with the vendor contact to establish contract terms and implementation of service offerings

An assigned DMACC representative must work with the vendor contact(s) to maintain complete documentation of all third-party vendors and the services performed by each. DMACC may request and maintain copies of all agreements with third-party vendors as appropriate.

Contract Terms

No contracts shall be entered into by DMACC which do not take these requirements into account. Any re-negotiations between vendor and DMACC must be completed through an assigned DMACC representative

All contract terms and agreements with third-party vendors shall specify the following terms and conditions:

  • Service Level Agreements should be established to explicitly state which services/functions the vendor will provide on behalf of DMACC and what level of availability will be offered involving these services/functions (e.g. uptime, performance standards and any other criteria to evaluate service functionality).
  • Vendor contracts shall require the provider to acknowledge responsibility for securing DMACC sensitive information which they store, process, or transmit on behalf of DMACC. The third-party vendor and their personnel must protect all confidential DMACC information using verifiable data controls which entail encryption of data at rest or in transit, physically secured storage devices, and access only to authorized personnel. These controls must meet all related DMACC security requirements involving the accessing, processing, communicating, hosting, or managing the DMACC’s data or adding or terminating services or products to existing information.
  • Security incident management responsibilities and details must be specified in the contract agreement and specific to data incident/breach notification, procedures, notifications, and remedies.
  • Vendor access to DMACC resources and data should be implemented via role-based mechanisms, with access limited to only those systems to which the vendor provides services, or any data related thereto.
  • Vendor staff with access to DMACC confidential information must be cleared in advance to handle the information as appropriate. Third-party access to confidential data must be activated only when needed and enabled only to the level and degree indicated by the service level agreement.
  • The vendor must only use DMACC information and systems to deliver the services agreed upon in the contract. No other uses are allowed unless expressly granted in writing in advance by DMACC.
  • Any information acquired by the vendor through the course of operational contract execution shall not be used for the vendor’s own purposes or divulged to others without the express written consent of DMACC in advance.
  • Support details should be included in the agreement including focus/ scope of support, availability of support personnel and any related or additional costs involved with support endeavors.
  • Vendors shall provide DMACC with a list of all staff working on the contracted services. The list shall be updated and provided to DMACC within 24 hours of staff changes.
  • Where applicable, vendor personnel engaging in regular work hours and duties for DMACC must have these details defined in the agreement. Work outside of defined parameters must be approved in writing by appropriate DMACC management.
  • On-site vendor staff members must adhere to all internal facility security protocols and procedures. Upon completion of contracted work, system access shall be deactivated/disabled. vendors shall return all security access cards, access tokens and identification which should be disabled when not in use.
  • Vendor access shall be uniquely identifiable and password/access management must comply with all the DMACC requirements.
  • Vendors with remote access to DMACC systems shall use all prescribed tools and procedures to access systems remotely. Only these agreed-upon access mechanisms should be utilized.
  • Third-party vendor access to systems and software may be monitored during use as necessitated by the sensitivity and confidentiality of the information.
  • Vendor personnel shall report all security incidents directly to the project supervisor and/or the assigned DMACC representative.
  • The vendor shall follow all applicable DMACC change control processes and procedures when working on DMACC systems.
  • The vendor shall comply with any DMACC auditing requirements, including the auditing of the vendor’s work.
Termination of Contract
  • Agreements with third-party vendors shall specify that the third-party vendor will notify DMACC within one day of discovery of a vendor security incident/breach. Upon such notification, DMACC shall have the right to terminate the agreement with the vendor.
  • Provisions within the contract shall ensure that vendor pay for all costs incurred to remedy the breach including, if appropriate, notifying customers, and any related expenses or damages levied due to the incident and related disclosure.
  • DMACC retains the right to terminate the contract/agreement if it is determined that the vendor has not been compliant with the security or service standards outlined in this contract, even if no data breach occurred.
  • Upon termination of vendor or at the request of DMACC, the vendor will return or destroy all information and provide written certification of that return or destruction within 24 hours.
  • Upon termination of contract or at the request of the DMACC, the vendor must surrender all identification badges, access tokens or cards, equipment, and supplies immediately. Equipment and/or supplies to be retained by the vendor must be documented by management.

Monitoring

Any issues, errors, or problems with third-party vendors must be logged to keep track of performance shortfalls or service agreement violations. This will include the specific problem, an example with dates and times, the desired resolution and timeline, and the name of the contact at the vendor.

The IT and/or Purchasing department will monitor for adherence to this procedure. Any change to the Third-Party Vendor and Outsourcing Procedure must be approved by the DMACC IT department for revisions or updates.

Violations and Penalties

Any violation of the Third- Party Vendor and Outsourcing Procedure must be immediately reported to any involved managers and the DMACC IT and/or Purchasing department. Violating the Third-Party Vendor and Outsourcing procedure or any of its tenets could result in disciplinary action leading up to and including termination of employment and civil and/or criminal prosecution under local, state, and federal laws.


Facebook this Page (opens a new window)
Tweet this Page (opens a new window)
Add to Portfolio (opens a new window)