1. Purpose

    To ensure the protection of the University’s assets that are accessed, processed, communicated to, or managed by external parties, suppliers or vendors. This includes any external party who has access to physical data processing facilities, logical access to State data processing systems via local or remote access or access via another external party into the University’s data processing facilities.
  2. Information security in supplier relationships

    Security requirements will be documented and agreed with each supplier that may access, process, store, transmit or communicate University owned data. Risk involving external parties should be identified and proper controls implemented prior to the granting of access to any information, information technology asset or information process facility of the University.
  3. Supplier service delivery management

    Periodic review of supplier services will be conducted to ensure that related security agreements are being adhered to and enforced.
    1. Reporting of Security Incidents

      External Party Agreements will require external parties to report perceived security incidents that may impact the confidentiality, integrity or availability of University data immediately.
    2. Sub-Contractors Requirements

      Primary external parties should require their subcontractors to abide by State of North Carolina and the University’s policies and security requirements, as applicable.