A&F Vendor IT Access Standards

UMASS Amherst Administration and Finance Vendor IT Access Standards

1.0 Purpose

The purpose of this policy is to define standards for vendors accessing resources on UMASS Amherst’s network. These standards are designed to minimize the potential exposure to UMASS Amherst from damages which may result from unauthorized use of UMASS Amherst’s resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical UMASS Amherst internal systems, etc.


2.0 Scope

This policy applies to all UMASS Amherst Administration and Finance vendors, contractors, subcontractors, visitors or agents with a UMASS Amherst-owned or personally-owned device used to connect to the UMASS Amherst network. This policy applies to any connections used to perform work on behalf of UMASS Amherst.


3.0 Policy

3.1 General


1.  It is the responsibility of UMASS Amherst vendors, contractors, and agents with access to UMASS Amherst resources that due care is ensured to properly secure UMASS Amherst resources.


2.  It is the responsibility of UMASS Amherst vendors, contractors, and agents with access to UMASS Amherst resources that due care is ensured when using vendor devices on UMASS Amherst networks.


3.2 Requirements


1.  UMASS Amherst vendors’ devices used to administer UMASS Amherst resources are properly secured with strong passwords (determined by password policy), antivirus (if applicable), security updates and are secured physically. This includes UMASS Amherst network devices, which may include firewalls, out of band (OOB) devices, routers, switches and wireless access points.


2.  At no time should any UMASS Amherst vendor provide, release, share, or distribute data or information deemed confidential to UMASS Amherst unless specifically provided for within the contractual relationship.


3.  Any vendor software installed on UMASS Amherst’s network is documented and communicated to UMASS Amherst management. This includes remote access software, backdoors and anything used for administering UMASS Amherst resources. Software installed should be legally obtained and have proper licensing attached when installed on UMASS Amherst systems.


4.  At no time should any UMASS Amherst vendor provide their login password to anyone, including coworkers, vendor staff or UMASS Amherst staff.  Passwords used by vendors to access or create on UMASS Amherst devices and systems should follow standard secure practices defined by UMASS Amherst’s Security Policy (https://www.umass.edu/it/support/security/data-security).  This includes passwords and procedural documents for UMASS Amherst that are kept at vendor facilities for access.


5.  Any changes made on UMASS Amherst network or applications are documented following appropriate guidelines agreed upon by UMASS Amherst and vendor.


6.  If an intrusion or incident occurs on UMASS Amherst that was illegitimate or was to cause harm, management should be contacted in a manner agreed upon by UMASS Amherst and Vendor.


7.  Any accounts used to administer UMASS Amherst resources should be created for vendor use and be separate from the default administrator accounts.


8.  Maintenance performed on UMASS Amherst’s network should be communicated and documented during an agreed upon time between UMASS Amherst and Vendor.


9.  Any subcontractor’s used by vendors to complete tasks for UMASS Amherst will be communicated to UMASS Amherst before the subcontractor is used.


10.  Reports of findings are given to UMASS Amherst via a document or in person on an ongoing basis with reporting timeframe determined by Management and Vendor on a monthly or quarterly basis.


11.  Adherence to the University’s acceptable use and confidentiality policies http://www.umass.edu/it/policies.


4.0  Enforcement


Any violation of this policy by a vendor may be subject to action including termination of contract and/or court action.


5.0  Definitions


Term:                          Definition

Vendor:                       Any external contact provider that supports UMASS Amherst resources and requires access to the internal infrastructure to provide support.


Device:                        Any items used to provide access to resources on UMASS Amherst’s network and may include routers, switches, firewalls, out of band devices, and wireless access points.


Out of Band:                A network device used for remote access to systems using analog lines and modems rather than traditional Ethernet switch technology.


Subcontractor:            Any staff hired by vendors that are not directly employed by vendor, but are used to provide services for the organization.