Good Afternoon,
The following operating
instruction is available for review and comment. It is located on the P&P
review site at https://mnscu.sharepoint.com/sites/policy/SitePages/Reviews.aspx. Please log in using your [StarID]@minnstate.edu
and your regular password. All feedback and comments may be submitted and
viewed through this site.
Operating Instruction
5.23.1.14 Third Party Vendors
Summary: This new operating
instruction defines the business owner's requirements for evaluating the
security controls of third party vendors that provide a systemwide service that
handles, processes or stores protected, sensitive data.
Responses are requested
by Wednesday , May 29, 2018.
1 Minnesota State
2 Chapter 5 – Administration
3 Operating Instruction
4
5
6 Operating Instruction 5.23.1.14 Review of Third Party Vendors
7
8 Part 1. Purpose
9 To establish minimum requirements for the oversight and monitoring of any third party vendor
10 that provides a systemwide service that handles, processes or stores Highly Restricted or
11 Restricted data as defined in System Procedure 5.23.2 Data Security Classification and
12 Operating Instruction 5.23.2.1 Data Security Classification.
13
14 Part 3. Definitions
15 For purposes of this operating instruction, the following definitions apply:
16
17 Business Owner
18 Any Minnesota State employee responsible for ensuring due diligence prior to the
19 execution of a contract, managing the third party relationship, and monitoring service
20 delivery for compliance with federal and state laws, regulations, Minnesota State Board
21 Policies, system procedures, operating instructions, and/or contract agreements.
22
23 Service Organization Control (SOC) reports
24 Report(s) on a third party’s controls that are relevant to security, availability, processing
25 integrity, confidentiality or privacy, and the customer’s internal control over financial
26 reporting. These reports are intended to meet the needs of a broad range of customers that
27 need detailed information and assurance about the effectiveness of the third party’s
28 controls.
29
30 Statement(s) on Standards for Attestation
31 A regulation created by the Auditing Standards Board (ASB) of the American Institute of
32 Certified Public Accountants (AICPA) for defining how service organizations report on
33 compliance controls. This requires the management of the service organization to provide a
34 written assertion to the auditor that their description accurately represents their
35 organizational system. The organization’s system description consists of the services
36 provided by the organization and all operational activities that affect the service's
37 customers. In addition, the organization must also assert that their description honestly
38 describes their control objectives and the time period in which they are meant to be
39 evaluated.
40
Part 4. Due Diligence Prior To Contract or Agreement 41 Execution or Renewal
42 For any systemwide service provided by a third party vendor, prior to the execution or renewal
43 of a master contract, the security controls and data management practices of the vendor must
44 be reviewed to ensure Highly Restricted and/or Restricted data will be adequately secured. The
45 Business Owner shall conduct the review in consultation with the system office Information
46 Security, Risk, and Compliance department.
47
48 The Business Owner is responsible for obtaining any necessary review and approval of the
49 contract by system legal counsel, as required by Board Policy 5.14 Contracts and Procurements.
50
51 Part 5. Annual Review of Control Environment
52 The Business Owner shall consult with the system office Information Security, Risk, and
53 Compliance department to conduct an annual review of the controls, data management, and
54 security practices of the third party vendor.
55
56 To ensure the controls adequately protect Highly Restricted and/or Restricted data, the
57 following documents must be reviewed:
58 The original contract and any applicable addendums, exhibits, or attachments;
59 If available, the vendor’s Service Organization Control (SOC) reports;
60 Any other report that has been conducted by a third party that evaluated the third
61 party’s data management and/or security controls. This does not include the third party
62 conducting an internal evaluation of their own controls or practices.
63
64 The review must also include an evaluation of controls performed by Minnesota State that are
65 required by terms in the contract or agreement with the third party. If a SOC report is provided
66 by the vendor, the controls that must be implemented by Minnesota State will be identified in
67 the report as “complementary user entity controls.”
68
69 Part 6. Documentation of Annual Review
70 The results of the annual review of the control environment must be documented and retained
71 by the Business Owner in accordance with records retention schedules. Documentation must
72 include:
73 Business Owner name and title;
74 Vendor or company name, or the college, university or system office that is providing
75 the service;
76 Brief description of the service provided;
77 Date of original contract or agreement;
78 Any and all documents or reports (e.g., Service Organization Control reports,
79 Statement(s) on Standards for Attestation, etc.) that were included in the review
80 process;
Any deficiencies in the third party’s data management 81 practices – i.e., data backup
82 practices, comingling with other customers’ data, sharing data with other third party
83 entities, etc.;
84 Any deficiencies in the third party’s security controls, as identified by the system office
85 Information Security, Risk, and Compliance department;
86 Any deficiencies in Minnesota State’s security controls, as identified by the system office
87 Information Security, Risk, and Compliance department.
88
89
90
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.