ITS Policies & Procedures

Technology Procurement & Vendor Management Policy

Policy #: LFC.ITS.7
Date: 11/29/2023
Author: LFC ITS
Version: 1.0
Status: Approved

OVERVIEW

Engaging in business with Lake Forest College necessitates that vendors possess certain essential business capabilities. These include, but are not limited to, internet access, the ability to conduct electronic billing and invoicing, robust financial reporting, administrative proficiency, and upholding appropriate insurance and bonding levels as required. Additionally, vendors are expected to deliver high-quality goods and services, ensure timely delivery, offer competitive pricing, and align with our commitment to constructing and upholding facilities of the highest quality and value, all while adhering to the highest standards of ethics, sustainability, and safety.
Historically, these attributes and capabilities were sufficient. However, with the evolution of technology, and considering that most products and services in the market are now fundamentally integrated with technological components, new challenges have emerged. Modern levels of technological integration have made it increasingly difficult for Information Technology Services (ITS) to effectively manage and support acquisitions made in the absence of a centralized purchasing department, and it has become impossible to guarantee compatibility, security, and compliance with regulatory mandates, particularly when ITS was only informed post-acquisition. Unless a proposed product or service contains no technological components and will not access College data, it is now imperative that ITS be fully involved in all stages of purchasing, as outlined in Section 4.
Involving ITS in all technology-adjacent product or service acquisitions will allow the information assurance posture of the service providers to be adequately assessed and security and compliance concerns to be properly accounted for in contracts or agreements. Serious security incidents or data breaches that originate from a third-party vendor still represent significant financial, regulatory, and reputational impacts on the College.
The policy will be periodically reviewed and updated as necessary to meet changes in legal and regulatory requirements, third-party vendor environments, technological advances, and emerging threats.

1. PURPOSE

This policy supports and supplements the Information Security Policy. In alignment with that policy, the College is committed to maintaining necessary security and compliance requirements for information technology-related products and services in which Lake Forest College data may be stored, processed, or transmitted by an entity not under control of the College. Furthermore, the specific goals in publishing this Policy are to:
  • Protect Lake Forest College's community, property, and interests;
  • Describe the proper process for identifying solutions to perceived functionality gaps;
  • Reduce spending and duplicative acquisitions;
  • Communicate the vendor selection process to College personnel;
  • Ensure compatibility of solutions with existing electronic resources and infrastructure
  • Establish acceptable risk management technical controls to be shared by all vendors;
  • Detail acceptable contractual standards and incident reporting requirements;
  • Support effective data governance through information security best practices
  • Ensure regulatory compliance (FERPA, GLBA, HIPAA, PIPA, etc.);

2. SCOPE

This policy applies to all Lake Forest College departments and individuals who procure products or services or enter into contractual relationships on behalf of the College with third-party vendors or contractors.

3. PRIMARY POLICIES

3.1: ITS Approval: All third-party products or services which include computer hardware, software, handle College data, require network access, or have similar IT-related features or requirements, whether obtained through procurement, by gift, through research, donation, open source, or other, require ITS review and approval before the new IT solution can be used.
3.2 Security & Compliance: To ensure the protection of the College, its community members, and to ensure the safeguarding of College data, all proposed technology-related procurements shall be subject to a Risk Management review which shall evaluate the proposed vendor's business practices and security and compliance features built into the product being procured.
3.3 Contracts: ITS shall execute all contracts and agreements for technology-related systems or software. Ongoing services or subscriptions provided by vendors shall be reviewed by ITS on a periodic basis in order to ensure contractual obligations are being met and College data is being properly safeguarded. Contracts must stipulate certain onboarding and offboarding practices such as data return or destruction, data classification and handling practices, and define prompt notification periods for any data breaches. Separate Data Privacy Agreement documents, when available, are recommended for general purpose applications, and shall be required for all products accessing, storing, transmitting, or otherwise handling data classified as Restricted.
3.4 Limitations of Access: Any vendor access to College data must be provided on an as-needed basis, where access shall be limited strictly to the data necessary to fulfill the functions of the application or service.

4. INSTITUTIONAL PREFERENCES

When partnering with vendors, Lake Forest College exhibits the following preferences or practices:
  • Choosing a smaller number of proven vendors who are responsive and thoughtful
  • Selecting vendors who assign a representative to the College, who understands the mission, challenges, and limitations of higher education.
  • Establishing and maintaining long-term relationships.
  • Pursuit of the best match between needs and offerings; lowest price is not paramount.
  • When available, leveraging consortia agreements.
  • Unique customer numbers/accounts with each vendor, which should be managed through password protected, access-controlled systems which support strong multi-factor authentication.
  • Lake Forest College will challenge vendors when prices deviate significantly and consistently from past patterns.
  • For all technology-related contracts to be centralized into ITS for improved cost control, efficiency, management, support, security, and compliance.

5. INTERNAL PROCESSES

5.1 Gap Analysis: Departments or individuals who believe they have an identified need for a product or service to improve existing practices, enhance productivity, or close a functionality gap within their business unit should first submit a ServiceDesk ticket with a description of the perceived need. ITS staff will review the request and respond accordingly. Typically, this involves a discovery meeting attended by the requestor, any relevant personnel from their business unit, and ITS personnel.
5.2 Solution Discovery Process: ITS will assist the requestor by determining if a product or service already owned or licensed by the College may provide an acceptable solution, or if one should be developed internally. If neither is practical or acceptable, ITS will assist the requestor by performing research to identify compatible and secure external products or services which provide required or desired features while ensuring that needs for compatibility, ongoing support, information security, and compliance are addressed. During this stage, both ITS and the requestor are encouraged to investigate and bring potential solutions to the table.
5.3 Product Evaluation: All discussions and/or demonstrations of proposed products or services shall be attended by ITS and the requestor to facilitate efficient collaboration in the selection process. The requestor shall be responsible for identifying any non-technical needs and requirements, while ITS personnel shall endeavor to identify any technical incompatibilities or information security concerns early in the process which might eliminate a vendor or their product as a viable option. The following characteristics of potential products or services must be considered:
  • Support and Service Level Agreements (SLAs)
  • Product functionality and requirements
  • Installation and other relevant documentation
  • Compatibility with current systems and planned future initiatives
  • Data & Security Compliance concerns
  • Any integration requirements or data import/export with enterprise applications
  • Cost-Benefit Analysis
  • Implementation processes, planning, and timelines
  • Vendor reputation, development roadmap, and investment worthiness
Vendors meeting all requirements shall be asked to furnish budgeting quotes for the relevant products or services with line items for all options or configurations under consideration.
5.4 Cost-Benefit Analysis: Initial quotes for all applicable vendor-provided products and/or services proposed for purchase shall be compared to determine the best value to the College. This process shall involve – at a minimum – calculating either Return on Investment (ROI) or Total Cost of Ownership (TCO) over a period of at least five (5) years to determine whether the purchase is sustainable and fiscally prudent. If a first choice of vendor is not immediately clear to all internal parties, decision matrices which score vendors' solutions across weighted categories – such as price, performance, value, compatibility, vendor responsiveness, security practices, social and environmental impact, etc. – are recommended.
5.5 Tentative Selection: The tentative first-choice vendor shall be asked to provide a final quote with exact license counts, specific selections of components, or other late-stage changes. If the requestor does not negotiate with the vendor for more competitive pricing, a representative from ITS will perform this function.
5.6 Security & Compliance Review: Adequate time must be allotted for a thorough risk management analysis of the tentative winning vendor's business and security practices and identification of any relevant compliance concerns if the proposed vendor will have access to College data classified as Restricted or Sensitive. In such situations, vendors shall be asked to either complete a Security Compliance Questionnaire or to furnish a completed HECVAT assessment form, along with any other appropriate certifications ( ISO 27001, SOC 2, HITRUST, etc.) the organization maintains. The CIO and/or the Information Security Manager shall carefully review this documentation, perform risk management analysis, and identify to the requestor and the vendor any significant concerns, which the vendor should be given a chance to address. The Security & Compliance Review could take up to 15 business days and will begin when all of the vendor's documentation has been successfully received. Delays are possible depending on other work and the number of other reviews in the queue. The length of this process can also depend upon the cooperation of the vendor and how much the requestor is prepared to facilitate. When all parties are well prepared and collaborative, a vendor security assessment can be completed quickly. Vendors who cannot provide a HECVAT assessment (or equivalent) and refuse to answer the Security Compliance Questionnaire will not be eligible for consideration without an authorized exception from the CIO.
5.7 Onboarding: The onboarding of new technology solutions is a critical phase, ensuring seamless integration and alignment with Lake Forest College's existing enterprise architecture, infrastructure, and policies. The process is primarily managed by the Enterprise Applications department within ITS under the guidance of the CIO. The onboarding process involves several steps:
5.7.1. Initial Assessment and Planning: Once a vendor is tentatively selected, the Enterprise Applications department will conduct an initial assessment. This includes understanding the technical requirements, integration needs, and any specific configurations necessary for the new solution. A detailed plan is then developed, outlining the steps for integration, timelines, and resource allocation.
5.7.2. Integration Development: For solutions requiring integration with existing systems (such as Jenzabar) the Enterprise Applications department will delegate tasks to appropriate team members. These tasks may include developing custom integrations, configuring APIs, or setting up data exchange protocols. The goal is to ensure that the new solution works harmoniously with existing systems, with minimal disruption to current operations.
5.7.3. System Integration and Configuration: This phase ensures the new solution seamlessly integrates with Lake Forest College's IT infrastructure:
  1. Single Sign-On (SSO) Configuration: Integration of SSO to allow secure, seamless access using existing College credentials.
  2. Network Adjustments: Necessary modifications to the network setup, including firewall configurations, VPN setups, and bandwidth management, to support the new system.
  3. Email System Integration: Configuring email communications for the new solution, ensuring secure and efficient email interactions in line with college policies.
  4. Other System Integrations: Aligning the new solution with various existing systems and platforms for data exchange, operational synchronization, and compatibility.
5.7.4. Testing and Validation: Before full deployment, the new solution undergoes rigorous testing. This phase validates the integration with existing systems, functionality of the SSO setup, and overall performance. Any issues identified during testing are addressed and resolved to meet operational and security standards.
5.7.5. Training and Documentation: Concurrent with the testing phase, ITS prepares necessary documentation and training materials. These resources assist employees in understanding and effectively utilizing the new solution. Training sessions may be conducted as needed.
5.7.6. Deployment and Monitoring: Upon successful testing and training, the solution is deployed campus wide. ITS closely monitors the integration, ensuring system stability and addressing any post-deployment issues promptly.
5.7.7. Feedback and Continuous Improvement: Post-deployment, feedback is solicited from users to identify areas for improvement. ITS refines and enhances the solution, ensuring it meets the evolving needs of the College over time.
Throughout this onboarding process, ITS will maintain communications with the vendor, relevant College departments, and other stakeholders, ensuring transparency and alignment with project goals and timelines. Timelines for integrations can vary widely depending on technical requirements, vendor implementation processes, and existing team workload, but 12-16 weeks for a straightforward, well-defined project is not unusual. If the technology does not require integration, the quote and risk assessment will be delivered to the requestor after the Security & Compliance Review.
5.8 Vendor Review: For vendors providing ongoing services, such as software subscriptions, a vendor review must occur prior to the annual renewal of that product. 5.9 Contract Terminations: Ongoing subscriptions may either be terminated if the vendor breaches the terms of the contract or not renewed at the end of the contract if the vendor fails to deliver services or otherwise meet expectations.
5.10 Offboarding: At the conclusion of rendered services, the vendor shall be expected to either return all College data and/or properly destroy the data per the College's request, as outlined in either the service contract or a separate Data Privacy Agreement (DPA.) Any integrations with other systems will be decommissioned or removed.

6. VENDOR COMPLIANCE STANDARDS

Vendors are expected to conduct business with the College exemplifying these characteristics or having adopted the following standard practices:
6.1 Ethical Practices:
  • Appropriate, professional conduct
  • Disclosures of conflicts of interest w/ the College or its employees
  • Integrity
  • Ensuring employees have undergone background checks
6.2 Accounting practices:
  • Knowledgeable staff to manage invoicing and contracts
  • Professional, electronic billing & invoicing systems
  • Internet access and e-mail proficiency
  • Understanding of facility management systems
6.3 Business Practices:
  • Offer competitive and fair pricing
  • Responsive to Lake Forest College's requests
  • Timely execution of work
  • Financial capacity to perform work awarded
  • Honor terms and commitments of the contract
  • Maintain required insurance levels or bonding, as appropriate
  • Maintain current licenses and certifications
  • Ongoing safety and compliance trainings
  • Financial reporting
6.4 Security Practices:
  • Providing HECVAT assessments or completion of Security & Compliance questionnaires
  • Acceptable Data Protection Standards, including but not limited to:
    • Data Encryption
    • Data Access Controls
    • Data Retention and Deletion Policies
    • Secure Development Practices
    • Network / Remote Access Security Controls
  • Software Patching Schedules
  • Regular Systems Monitoring & Auditing
  • Security Awareness Training for Employees
  • Regular Risk Management Activities, such as:
    • 3rd Party Risk Management
    • Continual, immutable, and/or Air-Gapped Backups
    • Disaster Recovery, Incident Response, and Business Continuity Planning
    • Vulnerability Scanning & Remediation Cadence
    • Periodic Performance Assessments for Security Controls
6.5 Other Practices or Concerns:
  • Formalized Policies & Procedures
  • Non-IT Security Controls:
    • Human Resources Security
    • Physical and Environmental Security
  • Non-Disclosure Agreements or Business Associate Agreements
  • Service Level Agreements (SLAs)
  • Liability in the Event of a Data Breach
  • Data Return or Destruction Agreemen

7. CONTRACTS

7.1 Other Requirements for Approval: All contracts shall be contingent on a successful vendor review process where the following requirements have been met:
  • The proposed vendor meets all ethical, business, & accounting practices listed.
  • HECVAT, SOC 2, HITRUST, or other reports have been received and reviewed.
  • No high-risk findings are identified in risk assessments that are not resolved to the satisfaction of the Information Security Manager (ISM) and/or the Chief Information Office (CIO.)
  • A cadence is established for periodic vendor evaluations
  • A risk management reassessment will be triggered when a vendor experiences a data breach or other incident requiring IR plan engagement.
  • Regulatory Compliance (PCI-DSS, HIPAA, FERPA, GLBA, PIPA) has been previously established and is continually maintained by the vendor.
  • Board of Trustees or senior leadership team oversight has been provided when appropriate.

RELATED POLICIES:

Document Control:

Entry#: Date Version Notes
1 11/29/2023 1.0 Original policy draft submitted for review
2 12/07/2023 1.0 Reviewed and approved by LITS Advisory Committee
3 01/03/2024 1.0 Reviewed and approved by the Senior Leadership Team