Tarleton OITS Vendor Access Standard

Tarleton Office of Innovative Technology Solutions (OITS)
Vendor Access Standard

Effective: February 11, 2020

Revised: June 15, 2026

Procedure Summary

At Tarleton State University (Tarleton or university), vendors play an important role in the support of hardware and software management, and other operations for customers. Vendors may have the capability to remotely view, copy, and modify data and audit logs. They might remotely correct software and operating system problems; monitor and fine tune system performance; monitor hardware performance and errors; modify environmental systems; and reset alarm thresholds. Setting limits and controls on what can be seen, copied, modified, and controlled by vendors will eliminate or reduce the risk of liability, embarrassment, and loss of revenue and/or loss of trust involving the university.

Tarleton information resources are strategic assets which, as property of the State of Texas, must be managed as valuable state resources in accordance with Texas Government Code Chapter 2054. The purpose of this standard is to provide a set of measures that will mitigate information security risks associated with vendor access. This standard applies to all departments, administrators, and vendors who are responsible for vendor supplied information resources and any Tarleton mission critical and confidential information that is vendor-accessible.

The assessment of potential risks and the application of appropriate mitigation measures will be determined by the information resource owner or their designee. In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer.

Please see the Tarleton Security Controls Catalog, specifically the Access Control (AC) family, for additional information and requirements.

Procedures and Responsibilities

Personnel who provide vendors’ access to university mission critical or confidential information resources shall obtain formal acknowledgement from the vendor of their responsibility to comply with all applicable university policies, rules, standards, practices and agreements, including but not limited to: safety policies, privacy policies, security policies, auditing policies, software licensing policies, acceptable use policies, and nondisclosure as required by the providing entity.
- If a Tarleton vendor account is needed, the vendor and Tarleton full-time employee vendor account sponsor will need to abide by the Tarleton Security Controls Catalog, AC-2 Account Management and the AT-2 Literacy Training and Awareness requirements as well.
Tarleton employees who are procuring the services of vendors who are given access to mission critical and/or confidential information are expected to define the following with the vendor:
- The university information to which the vendor should have access;
- How university information is to be protected by the vendor;
- Acceptable methods for the return, destruction, or disposal of university information in the vendor’s possession at the end of the contract;
- That the use of Tarleton information and information resources are only for the purpose of the business agreement; any other university information acquired by the vendor in the course of the contract cannot be used for the vendors’ own purposes or divulged to others; and,
- Vendors shall comply with terms of applicable non-disclosure agreements.
Tarleton shall provide an information resources point of contact for the vendor. The point of contact will work with the vendor to make certain the vendor complies with university policies.
The information resource owner shall specify appropriate access authorization for each on-site vendor employee (i.e., university affiliate) according to the criticality of the information resource.
Vendor personnel shall report all security incidents directly to appropriate university personnel, including, but limited to the Office of Innovative Technology Solutions (OITS) Security Team and Tarleton Chief Information Security Officer (CISO).
The responsibilities and details of any vendor management involvement in university security incident management shall be specified in the contract.
The vendor must follow all applicable university change control processes and standards, please see the Tarleton Security Controls Catalog, Configuration Management (CM) family for additional information. Regular work hours and duties shall be defined in the contract. Work outside of defined parameters must be approved in writing by appropriate university management.
Except for very limited exceptions, all vendors must use VPN to access or support Tarleton’s network infrastructure.

Definitions

Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering the information security functions within the university and reports to the information resources manager (IRM).

Mission Critical Information: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the university or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the a department or the university.

Owner of an Information Resource: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.