{"id":3232,"date":"2026-06-15T16:35:37","date_gmt":"2026-06-15T16:35:37","guid":{"rendered":"https:\/\/www.tarleton.edu\/technology\/?page_id=3232"},"modified":"2026-06-15T16:36:28","modified_gmt":"2026-06-15T16:36:28","slug":"tarleton-oits-vendor-access-standard","status":"publish","type":"page","link":"https:\/\/www.tarleton.edu\/technology\/tarleton-oits-vendor-access-standard\/","title":{"rendered":"Tarleton OITS Vendor Access Standard"},"content":{"rendered":"\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-7387b849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<h1 class=\"wp-block-heading\">Tarleton Office of Innovative Technology Solutions (OITS) <br>Vendor Access Standard<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Effective: February 11, 2020<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Revised:&nbsp; June 15, 2026&nbsp;<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:33.33%\">\n<figure class=\"wp-block-image alignright size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.tarleton.edu\/technology\/wp-content\/uploads\/sites\/170\/2021\/12\/Tarleton_TonTexas.svg\" alt=\"The Tarleton State University logo\" class=\"wp-image-670\" style=\"width:159px;height:auto\" \/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator alignfull has-alpha-channel-opacity has-vivid-cyan-blue-to-vivid-purple-gradient-background has-background is-style-wide\" \/>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Procedure Summary<\/strong>&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">At Tarleton State University (Tarleton or university), vendors play&nbsp;an important role&nbsp;in the support of hardware and software management, and other operations for customers. Vendors may have the capability to remotely view, copy, and&nbsp;modify&nbsp;data and audit logs. They might remotely correct software and operating system problems;&nbsp;monitor&nbsp;and fine tune system performance;&nbsp;monitor&nbsp;hardware performance and errors;&nbsp;modify&nbsp;environmental systems; and reset alarm thresholds. Setting limits and controls on what can be seen, copied,&nbsp;modified, and controlled by vendors will eliminate or reduce the risk of liability, embarrassment, and loss of revenue and\/or loss of trust involving the university.&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Tarleton information resources are strategic assets which, as property of the State of Texas, must be managed as valuable state resources in accordance with <a href=\"https:\/\/statutes.capitol.texas.gov\/Docs\/GV\/htm\/GV.2054.htm\">Texas Government Code Chapter 2054<\/a>. The purpose of this standard is to provide a set of measures that will mitigate information security risks associated with vendor access. This standard applies to all departments, administrators, and vendors who&nbsp;are responsible for&nbsp;vendor supplied information resources and any Tarleton mission critical and confidential information that is vendor-accessible.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group word-wrap: normal is-layout-flow wp-block-group-is-layout-flow\">\n<p class=\"wp-block-paragraph\">The assessment of potential risks and the application of appropriate mitigation measures will be determined by the information resource owner or their designee. In accordance with <a href=\"https:\/\/texas-sos.appianportalsgov.com\/rules-and-meetings?chapter=202&amp;interface=VIEW_TAC&amp;part=10&amp;title=1\">Texas Administrative Code (TAC) Chapter 202 \u2010 Information Security Standards<\/a>, each department and\/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Please see the <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/\"><\/a><a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/access-control-ac\/\">Tarleton Security Controls Catalog, specifically the Access Control (AC) family<\/a>, for additional information and requirements.<\/p>\n<\/div>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Procedures and Responsibilities<\/strong>&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list its-nested-list\">\n<li>Personnel who provide vendors\u2019 access to university mission critical or confidential information resources shall obtain formal acknowledgement from the vendor of their responsibility to comply with all applicable university policies, rules, standards, practices and agreements, including but not limited&nbsp;to:&nbsp;safety policies, privacy policies, security policies, auditing policies, software licensing policies, acceptable use policies, and nondisclosure as required by the providing entity.&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>If a Tarleton vendor account is needed, the vendor and Tarleton full-time employee vendor account sponsor will need to abide by the Tarleton Security Controls Catalog, <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/access-control-ac\/ac-2-account-management\/\">AC-2 Account Management<\/a> and the <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/awareness-and-training-at\/at-2-literacy-training-awareness\/\">AT-2 Literacy Training and Awareness<\/a> requirements as well.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Tarleton employees who are&nbsp;procuring&nbsp;the services of vendors who are given access to mission critical and\/or confidential information are expected to define the following with the vendor:&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>The university information to which the vendor should have access;&nbsp;&nbsp;<\/li>\n\n\n\n<li>How university information is to be protected by the vendor;&nbsp;<\/li>\n\n\n\n<li>Acceptable methods for the return, destruction, or disposal of university information in the vendor&#8217;s possession at the end of the contract;&nbsp;&nbsp;<\/li>\n\n\n\n<li>That the use of Tarleton information and information resources are only for the purpose of the business agreement; any other university information&nbsp;acquired&nbsp;by the vendor&nbsp;in the course of&nbsp;the contract cannot be used for the vendors\u2019 own purposes or divulged to others; and,&nbsp;&nbsp;<\/li>\n\n\n\n<li>Vendors shall&nbsp;comply with&nbsp;terms of applicable non-disclosure agreements.&nbsp;&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Tarleton shall provide an information resources point of contact for the vendor. The point of contact will work with the vendor to make certain the vendor&nbsp;complies with&nbsp;university policies.&nbsp;&nbsp;<\/li>\n\n\n\n<li>The information resource owner shall specify&nbsp;appropriate access&nbsp;authorization for each on-site vendor employee (i.e., university affiliate) according to the criticality of the information resource.&nbsp;&nbsp;<\/li>\n\n\n\n<li>Vendor personnel shall report all security incidents directly to&nbsp;appropriate university&nbsp;personnel, including, but limited to the Office of Innovative Technology Solutions (OITS) Security Team and Tarleton Chief Information Security Officer (CISO). &nbsp;&nbsp;<\/li>\n\n\n\n<li>The responsibilities and details of any vendor management involvement in university security incident management shall be specified in the contract.&nbsp;&nbsp;<\/li>\n\n\n\n<li>The vendor must follow all applicable university change control processes and standards, please see the <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/configuration-management-cm\/\">Tarleton Security Controls Catalog, Configuration Management (CM) family <\/a>for additional information. Regular work hours and duties shall be defined in the contract.&nbsp;Work outside of defined parameters must be approved in writing by appropriate university management.&nbsp;&nbsp;<\/li>\n\n\n\n<li>Except for&nbsp;very limited&nbsp;exceptions, all vendors must use VPN to access or support Tarleton\u2019s network infrastructure.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Definitions<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Confidential Information<\/strong>: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Information Resources (IR)<\/strong>: the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Information Security Officer (ISO) \/ Chief Information Security Officer (CISO)<\/strong>: responsible for administering the information security functions within the university and reports to the information resources manager (IRM).&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Mission Critical Information<\/strong>: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the university or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the a department or the university.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Owner of an Information Resource<\/strong>: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.&nbsp;&nbsp;<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Related Statutes, Policies, or Requirements<\/strong>&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/texas-sos.appianportalsgov.com\/rules-and-meetings?chapter=202&amp;interface=VIEW_TAC&amp;part=10&amp;title=1\" target=\"_blank\" rel=\"noreferrer noopener\">Title 1, Texas Administrative Code (TAC 202), Information Security Standards for Institutions of Higher Education<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/policies.tamus.edu\/29-01.pdf\">TAMUS Policy 29.01, Information Resources<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"http:\/\/policies.tamus.edu\/29-01-02.pdf\">TAMUS Regulation 29.01.02, Use of Licensed Software<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"http:\/\/policies.tamus.edu\/29-01-03.pdf\">TAMUS Regulation 29.01.03, Information Security<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"http:\/\/policies.tamus.edu\/29-01-04.pdf\">TAMUS Regulation 29.01.04, Accessibility of Electronic and Information Resources<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"http:\/\/policies.tamus.edu\/29-01-05.pdf\">TAMUS Regulation 29.01.05, Artificial Intelligence<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"http:\/\/policies.tamus.edu\/29-01-06.pdf\">TAMUS Regulation 29.01.06, Covered Applications and Prohibited Technologies<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.tarleton.edu\/policy\/wp-content\/uploads\/sites\/142\/2022\/06\/29_01_03_T0_01.pdf\">Tarleton SAP 29.01.03.T0.01, Information Resources &#8211; Acceptable Use<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.tarleton.edu\/policy\/wp-content\/uploads\/sites\/142\/2022\/06\/29_01_99_t1.pdf\">Tarleton Rule 29.01.99.T1, Information Resources<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/\">Tarleton Security Controls Catalog<\/a><\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Contact Office<\/strong>&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Office of Innovative Technology Solutions&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">AVP and CIO of Innovative Technology Solutions&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">254-459-5685&nbsp;<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tarleton Office of Innovative Technology Solutions (OITS) Vendor Access Standard Effective: February 11, 2020 Revised:&nbsp; June 15, 2026&nbsp; Procedure Summary&nbsp; At Tarleton State University (Tarleton or university), vendors play&nbsp;an important &#8230;<\/p>\n","protected":false},"author":94,"featured_media":580,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"template-fullwidth.php","meta":{"_acf_changed":false,"inline_featured_image":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","_wds_title":"","_wds_metadesc":"","_wds_focus-keywords":"","_wds_meta-robots-adv":"","_wds_meta-robots-noindex":false,"_wds_meta-robots-nofollow":false,"_wds_meta-robots-index":false,"_wds_meta-robots-follow":false,"_wds_autolinks-exclude":false,"_wds_canonical":"","_wds_redirect":"","_wds_opengraph":[],"_wds_twitter":[],"footnotes":""},"class_list":["post-3232","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"coauthors":[],"author_meta":{"author_link":"https:\/\/www.tarleton.edu\/technology\/author\/jgeorge\/","display_name":"jgeorge"},"relative_dates":{"created":"Posted 4 hours ago","modified":"Updated 4 hours ago"},"absolute_dates":{"created":"Posted on June 15, 2026","modified":"Updated on June 15, 2026"},"absolute_dates_time":{"created":"Posted on June 15, 2026 4:35 pm","modified":"Updated on June 15, 2026 4:36 pm"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/pages\/3232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/users\/94"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/comments?post=3232"}],"version-history":[{"count":2,"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/pages\/3232\/revisions"}],"predecessor-version":[{"id":3234,"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/pages\/3232\/revisions\/3234"}],"wp:attachment":[{"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/media?parent=3232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}