Third Party / Data Access Policy

This document describes the policy under which third party organizations and individuals will be granted access to non-public, proprietary or private electronic data and services maintained by CCA Educational Technology Services for the purposes of performing contracted work with college data on premise or hosted by a third-party or in the cloud. The Contractor Consultant Access Request Form must be completed and submitted to the Helpdesk and approved prior to access.

Scope

All third party organizations and individuals that require access to non-public electronic data and resources maintained by CCA and who are not otherwise classified as full time, part time, or temporary faculty, staff, or students fall under this policy.

Policy

Account Holders

All persons, whether a part of a third party organization or individual contractor, will be given individual access accounts on the services required to perform their work with the appropriate level of access.

CCA Sponsor

All account holders must be sponsored by a CCA department, organization, or employee. Access to sensitive data types should be approved by the responsible data steward and documented in the Helpdesk.

Point of Contact

All account holders must provide external contact information that will be used to contact the account holder in the event of account status changes, misuse, or termination of the contracting agreement.

Acceptable Use

All account holders must agree to the CCA Acceptable Use Policy.

Modifying or Changing Access

All changes to access granted under this policy must originate from the CCA Sponsor and are subject to a security review, including the addition or removal of individual accounts for persons within a third party organization.

Terminating Access

Upon termination of the contracting agreement or when access is no longer required, the CCA Sponsor must notify ETS. ETS will notify all account holders and terminate access. CCA may determine an early termination, should there be a cyber-security threat detected due to compromised systems or accounts managed by the contractor. Contractor must notify CCA if any such event should take place in the duration of the contract with CCA.

Enforcement

Any account holder that is found to have violated this policy will have the account suspended and the account holder's CCA Sponsor will be notified. Following a review, ETS will implement the actions specified by the CCA Sponsor to reinstate or remove the account.

Definitions

Account holder: any individual given electronic access to CCA data and/or services under this policy.

CCA Sponsor: The CCA department, organization, or employee who requested that the third party have access to specific non-public CCA electronic resources.

 

Revision History

15-OCT-2007: Draft policy
16-OCT-2007: Approved by majority of ETS directors
6-JUN-2016: Added language for cloud vendor access and changed name
6-JUN-2016: Approved by CIO and Director of Networks and Systems