SP 6-10x
APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
REFERENCES:
Board Policy (BP) 6-10, Cyber Security Policy
System Procedure (SP) 6-10a, Acceptable Use of Information Assets
System Procedure (SP) 6-10s, Remote Access
APPROVED:
/ Joe Garcia /
Joseph A. Garcia
Chancellor
This procedure documents the requirements for entering, maintaining, and monitoring business relationships with third parties, and ensuring that Cyber Security Procedures are followed for the protection of the Colorado Community College System and its Colleges (“CCCS”) Information Systems and Assets.
This procedure applies to employees, personnel affiliated via third party contracts, and volunteers that have access to Information Systems and Assets that are owned or leased by CCCS.
Third Party Provider
A Third Party Provider is defined as a service provider, integrator, vendor, or instructional partner that is external to CCCS.
The System Chancellor delegates to the System Vice Chancellor for Information Technology (“IT”) responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
CCCS works with various Third Party Providers. Such interactions often require the disclosure of, or access by the Third Party Provider, to Sensitive or Restricted information. Prior to disclosing such information to the Third Party Provider, the intended recipient must be authorized in writing to receive the information and CCCS must have confidence that the information security measures adopted by the Third Party Provider will protect the confidentiality and integrity of the information.
Third Party Selection
CCCS shall exercise appropriate due diligence in the selection of Third Party Providers.
Contract Requirements
Contract Approvals
Secure Transmission of Information
Prior to transmission of Sensitive or Restricted CCCS information to a Third Party Provider, the System IT Department (“System IT”) or College IT Department (“College IT”) must determine a secure and effective method for providing the Third Party Provider with such information.
Direct Connectivity to the CCCS Network
Third Party Providers who will have direct access to the CCCS network, either remotely or onsite, shall agree in writing to abide by CCCS’s Cyber Security Procedures. Additionally, the Third Party Provider must complete CCCS’s security awareness training prior to being granted access.
Management and Monitoring
Contract Retention
The CCCS contract custodian shall securely retain official copies of Third Party Provider contracts, agreements, memoranda of understanding, etc. System IT or College IT may retain duplicate copies of such documentation to facilitate management and monitoring.
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.