How to Find Us

Contact ITS

Exley Science Center
ITS Service Desk / Help Desk - 1st Floor Lobby

Middletown, CT 06459

Main: 860-685-4000

Hours: Monday - Friday
8:30am - 5:00pm

IT Vendor Management Policy

Purpose

To ensure that IT vendors are taking appropriate steps to protect 911±¬ÁÏÍø data.

Scope

This policy covers all vendors who provide software that stores, processes, or transmits restricted or confidential information or whose software interfaces with 911±¬ÁÏÍø systems that store, process, or transmit restricted or confidential information. This policy also covers all consultants working on 911±¬ÁÏÍø systems that store, process, or transmit restricted or confidential information.

Policy

Contract process

Before signing a contract, the vendor will provide 911±¬ÁÏÍø with a SOC2 report, a completed HECVAT document, or a comparable document outlining the information security controls the vendor is using. The contract must include language confirming that the vendor uses, at a minimum, reasonable commercial security measures. And the contract must specify that, in the event of a breach of a vendor system, the vendor is responsible for notifying 911±¬ÁÏÍø’s Chief Information Security Officer within 72 hours of the detection of the breach.

Annual review

The Chief Information Security Officer will contact each vendor annually to request a copy of their current SOC2 report, completed HECVAT document, or comparable document outlining the information security controls that the vendor is using.

Appendix

Reasonable commercial security measures

The following is a non-exhaustive list of what 911±¬ÁÏÍø considers to be reasonable commercial security measures:

  • Patches are installed within 90 days of release, with critical patches being installed within 30 days of release. Patches are applied to both the application and the underlying operating system.
  • Password strength is in line with NIST Special Publication 800-63B. A copy of this document is available at
  • Multi-factor authentication is used.
  • Deprecated encryption ciphers are not used.
  • All data transfers will take place across encrypted channels. When that is not possible, all data being transferred will be contained in an encrypted file using PGP or a comparable program.

Approval History

2024-01-30 Policy adopted