Body
Suppliers play an important role in protecting Norwich University (NU) systems, data, and IT Resources. The information on this page should help Suppliers understand what is needed to be a part of NU’s strategy to manage cyber risk.
Suppliers to NU must meet a wide range of requirements. These span across topics, including meeting specifications and policy requirements; complying with laws, regulations, and initiatives.
In today’s economy and legal-regulatory environment, cybersecurity must be a priority for suppliers and their supply chain (sub-suppliers) who strive to serve Norwich University.
Specific Requirements for Cybersecurity
NU expects suppliers to have 5 basic cybersecurity elements in place. Suppliers must have:
- Security Plan: A written, reviewable, and implemented cybersecurity and cyber risk management plan that is clear about how NU’s (or any customer) data and resources are protected. They must keep this plan up-to-date and operating effectively. Suppliers should also be keenly aware of and manage risks that stem from their suppliers, too.
- Evidence the plan is working: A method to demonstrate that the plan is implemented and working effectively.
- Examples include:
- Completed and reviewed HECVAT used by over 100 universities;
- A HECVAT request will be made by the NU's information security team using our automated system.
- SOC Type 2 Report using an appropriate set of controls - (Note: A SOC report of just a third-party data center, such as AWS, is NOT sufficient. NU needs to understand your company's business processes and risks, not just the practices of a data center);
- ISO 27001 certification using an appropriate set of controls;
- PCI Report on Compliance;
- A Health Information Trust Alliance (HITRUST) Common Security Framework Certification;
- A Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization;
- FedRAMP Certification;
- 3rd party audit demonstrating effective cyber risk management; or
- Some combination of the above.
- Incident Response Plan: A plan for notifying NU within 72 hours of the identification of an incident and then keeping NU informed as the incident is investigated. If an extensive investigation is required, suppliers must commit to helping NU during the investigation and response phases.
- Customer Notification Plan: A plan for notifying NU within 72 hours when major changes occur or vulnerabilities are identified.
- Best Practices: A commitment to avoid some of the most common supply chain mistakes. All of these should be in the Supplier security plan. There are 8 best practices and 6 elements that must be present in any security plan (see below). By themselves, these are not a security plan, but a list of some important items that must be present in the security plan.
Additionally, Norwich University requires the following prior to contract execution:
- Data Security Addendum (DSA): Vendors must agree to the terms in our DSA during the contracting process. The DSA will be shared once security evaluation has been completed and the legal review process begins.
- External Cyber Footprint Scan: Norwich University will utilize a vendor management system to continuously monitor vendors. This system utilizes publicly available information to assess the security posture of the supplier. The initial review will be unannounced and created by the system when NU begins to assess a vendor for a project and will continue unannounced reviews on a regular basis. If deficiencies are found, the vendor must remediate within an acceptable amount of time.
Suppliers should consider NU requirements reasonable and accept that NU, along with other customers, expect Suppliers to have a plan to manage cyber risk.
In addition, NU’s terms and conditions require appropriate cyber insurance which vary based on the data, as well as other insurance requirements.
Shared Responsibility Models
If the solution to managing cyber risk involves shared responsibility, then NU expects the Supplier to be able to clearly and unambiguously state what the Suppler manages, what NU is expected to manage, and, in the case of joint management, how that process operates.
Basic Security Plan Elements
Supplier’s Information Security Plan must:
- Ensure the security (including but not limited to: confidentiality, integrity, and availability) of Institutional Information and IT Resources through the use and maintenance of appropriate administrative, technical, and physical controls;
- Protect against any reasonably anticipated threats or hazards to Institutional Information and IT Resources (e.g., ransomware, loss or theft of equipment, nation state actors, insider risks, intellectual property theft, data theft, errors, etc.);
- Related to 1 and 2, address the risks associated with Supplier storing, processing, transmitting, or having access to Institutional Information and IT Resources;
- Comply with applicable regulations and/or external obligations for data protection, security, and privacy;
- Clearly document the cybersecurity responsibilities of each party;
A Few Supplier Best Practices
The Supplier must make sure their security plans limit its access to, use of, and disclosure of Institutional Information and IT Resources to the least invasive degree necessary to provide the Goods and/or Services by doing the following:
- Prevent the sharing of passwords or authentication secrets that provide access to Institutional Information and/or IT Resources;
- Prevent the use of passphrases (passwords) or other authentication secrets that are common across customers or multiple unrelated NU sites or units;
- Prevent unauthorized access to Institutional Information and IT Resources;
- Prevent unauthorized changes to IT Resources;
- Prevent the reduction, removal, or turning off of any security control without express written approval from NU;
- Prevent the creation of new Supplier accounts to access Institutional Information and IT Resources without express written approval from NU;
- Prevent the storing, harvesting, or passing through of NU credentials (username, password, authentication secret, or other factor); and
- Prevent the use or copying of Institutional Information for any purpose not authorized under the Agreement or any associated Statement of Work (SOW).
For more information, contact the Chief Information Security Officer or the Chief Information Officer.