Third Party Policy

When a campus entity is engaging a third party for a product and/or service to use on-campus or in the cloud (i.e., hosting of infrastructure, platform, software, multiple services or data stored in a data center), the third party and their product and/or service must be compliant with applicable laws, regulations, as well as CSU and campus policies and standards. All campus entities engaging a third party must have a campus risk assessment conducted for the product and/or service to be provided. All third party products and/or services approved after risk assessment must further be safeguarded by a University contract. Moreover, third parties and any of their subcontractors with whom it is authorized to share University data cannot use, process, store, and/or transmit University confidential data in a way that violates laws, regulations, as well as CSU and campus policies and standards.
 

A special thank you to the Information Security Work Group who is responsible for assisting the University Information Security Officer with developing and issuing information security policies, procedures and standards to the campus community. The ISWG includes Kal Shenoy, Sue Rivera, Chris Diniz, Mike Fleming, Joe Nailor, Kenton Miller, Tem Moore, Brian Chen, and Don David. In addition, a special thank you to Frank Yap, Contracts Administrator from Procurement, who assisted with the collaboration process between Procurement and ITS.