富兰克林 & 马歇尔头标志

资讯科技政策

Home / 大学政策 / 技术 / 富兰克林 & 马歇尔-云供应商策略

云供应商策略

资讯科技政策

I. 政策的理由和陈述

This policy defines the requirements for cloud vendor service providers who contract 与学院合作. 该政策被视为供应商合同的附录.

II. Scope

Any cloud vendor service provider that will be connecting to the 大学 network or 与学院信息资源互动. 这项政策适用于所有教员, F&M.

III. 定义

"Cloud vendor service providers" or "vendor" are service providers with which the 大学签订信息服务合同. 此定义包括任何分包商 或者为供应商工作的子服务人员. 也被称为第三方供应商或 承包商.

"Personal 信息" refers to any nonpublic and/or proprietary 信息 in any form concerning any community member that is submitted under this addendum or which 卖方在整个协议期内所知悉的. 学院对此进行了分类 根据数据分类政策的“敏感”信息类型.

"Nonpublic personal 信息" is any personally identifiable financial 信息. This definition is taken from the FTC 隐私 Rule regardless of whether community 会员寻求或获得任何金融产品或服务. 学院对此进行了分类 根据数据分类政策,属于“机密”的信息类型.

"社区" members include current or former or prospective faculty, staff, students, 志愿者、受托人或学院或其附属机构的代表.

IV. 政策

Vendor shall provide adequate safeguards for the protection of the confidentiality, 这些信息的完整性和可用性. 在适用的范围内 ,这些保障措施应符合下列方面的现行要求:

  • 家庭教育权利和隐私法(FERPA)

  • 格雷姆-里奇-比利利法案(GLBA)

  • Regulations issued by the Federal Trade Commission (FTC) including, but not limited 《冰球突破官网》和《冰球突破官网》

  • 一般资料保护规例(GDPR)

  • 公平准确信用交易法案

  • 美国残疾人法案(ADA)

  • 加州消费者隐私法(CCPA)

  • 个人信息保护和电子文件法(PIPEDA)

  • 联邦银行监管机构

  • 以及其他可能与本合同或服务有关的规定

个人信息保密和不披露

  1. 个人信息将被视为学院的财产.

  2. Vendor shall hold all personal 信息 in the strictest confidence and in accordance with applicable laws and regulations as well as 大学 policies, procedures, standards, 和指导方针.

  3. Vendor shall obtain no proprietary rights (directly or indirectly) in or to the personal 信息.

  4. Vendor shall not disclose the personal 信息 to any third party without prior written consent unless (i) required to perform vendor's obligations under 该协议 or (ii) required by law in which event vendor shall promptly notify the 大学 of 该请求或要求.

  5. Vendor shall use such personal 信息 only in connection with the furtherance of the business relationship between the parties, and vendor shall make no further 全部或部分使用任何此类个人信息.

  6. Vendor further agrees to disclose the personal 信息 only to its employees and 承包商 whose services are required in furtherance of the objectives of the business relationship between the parties, and to require each of its employees 和承包商 to comply with the terms of this 协议, prior to the disclosure to such employees 和承包商.

  7. Upon the expiration or termination of this 协议, for any reason, vendor shall promptly return to the 大学 all personal 信息, or upon direction from the 学院,立即销毁所有个人信息.

供应商保障声明

  1. Vendor has submitted a cloud vendor assessment that defines the steps vendor shall 采取措施保护个人信息及相关数据. 这可能是富兰克林 & 马歇尔 custom cloud vendor assessment tool or the Educause higher education cloud 供应商评估工具(HECVAT).

  2. Vendor shall revise and re-submit updated cloud vendor assessment when: significant changes in business operations or service delivery have occurred, and when renewing 或者延长之前的合同.

  3. Any contract involving vendor access to, creation of, or maintenance of Protected Health Information (PHI) must include a Health Insurance Portability and Accountability 商业合作协议(BAA).

  4. Any contract involving vendor provided credit card services must require that the contractor provides assurances that all sub承包商 who provide credit card services pursuant to the contract will comply with the requirements of the Payment Card Industry 提供服务时的数据安全标准(PCI DSS).

  5. The 大学 may annually (or more frequently as circumstances require in the 大学's 判断)对供应商遵守协议的情况进行审查.

供应商协议、确认、声明和保证

卖方同意、承认、声明和保证如下:

  1. 该协议允许供应商访问个人信息.

  2. Vendor shall hold the personal 信息 in strict confidence and access it only 为明确的商业目的而签订的协议.

  3. Vendor stipulates to allowing the entry of injunctive relief without the posting of bond in order to prevent or remedy breach of the confidentiality obligations of the 协议.

  4. Vendor stipulates that any violation of these requirements shall constitute a material breach of 该协议 and entitles the University to immediately terminate 该协议 不得对学校造成处罚.

  5. Vendor shall maintain controls to ensure that any subservicer or subcontractor used 卖方也受本协议条款的约束.

  6. 这些要求在协议终止后仍然有效.

供应商数据保护协议和确认

  1. Vendor shall ensure compliance with the confidentiality and security conditions of 该协议.

  2. Vendor shall protect the personal 信息 it accesses in accordance with cloud 供应商评估报告.

  3. Vendor shall notify the 大学 of any security incident, security breach or unauthorized access of 大学 personal 信息 as soon as practical, but not later than 48 发现后的几个小时. 通知应直接发给信息技术部门 Services at the 大学, the CIO, the CISO, and the contact person indicated in the 协议.

  4. Vendor agrees that it will not notify any affected individuals of a security breach or unauthorized access without first consulting with and obtaining consent from the 大学.

  5. Vendor shall take immediate steps to remedy any security breach or unauthorized access 由卖方承担费用.

  6. Vendor shall be responsible for actual costs incurred by the 大学 in responding to and mitigating damages caused by any security breach or unauthorized access, including 通知、信用监控或其他补救措施.

-----
政策 Maintained by: Information 技术 Services, Vice President and Chief Information 官
原生效日期:2018年9月1日
最后审查:2023年9月14日