Standard for Information Security Related to Vendors and External Parties

I. Purpose

The purpose of this standard is to establish the university’s obligation to ensure the protection of university assets accessible or hosted by vendors and other external parties.

II. Scope

It is the responsibility of any faculty or staff working with vendors and other external parties who may be accessing or hosting university assets to understand and apply information security policies, standards, and guidelines which ensure appropriate security for those assets.

III. Contacts

Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at

IV. Standard

When providing vendors and other external parties with access to university assets or when contracting with vendors and other external parties to host university systems or services, steps should be taken to ensure the protection of those assets. Agreements or contracts with vendors and other external parties should include the following security controls:

  • Identify and classify the information to be provided, accessed, or hosted in order to determine appropriate measures for data protection and handling
  • Document each party’s responsibility for implementing and managing access control
  • Specify each party’s rules of acceptable use
  • Obtain vendor’s or external party’s documented commitment to employ industry best practices for technical and procedural protection of sensitive university data from unauthorized physical and electronic access
  • Ensure compliance with legal and regulatory requirements
  • Document plan for notification of security breaches involving the security, confidentiality or integrity of any data
  • Define recovery and contingency arrangements to ensure availability of information
  • Stipulate details for handling data upon termination of the contract or agreement. This should include how the data will be destroyed or, if it is to be returned, the agreed upon format and mechanism(s) for returning the data as well as the time allowed for the return.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 6/05/15
Updated 4/01/21