Application Inventory and Vendor Management Policy for Rockhurst University
Introduction
-
Purpose: This policy establishes guidelines for maintaining an application inventory at Rockhurst University to track essential vendor information, application details, data sources, security information, and contract-related information.
-
Scope: This policy applies to all applications and vendors used by Rockhurst University.
Application Inventory Management
-
Centralized Inventory: Rockhurst University will maintain a centralized application inventory to track all applications used within the organization.
-
Essential Vendor Information: The inventory will capture essential vendor information, including vendor name, contact details, and escalation points.
Application Information
-
Application Details: The inventory will include details about each application, such as the application name, version, purpose, and description.
-
Hosting Information: Indicate whether each application is hosted at Rockhurst University or by the vendor.
-
Criticality Assessment: Assign a criticality rating to each application based on its importance to Rockhurst University's operations and the potential impact of its unavailability.
-
Upstream and Downstream Data Sources: Identify the upstream and downstream data sources and integration points for each application to ensure data flows are documented.
Confidential Data
-
Student Data (FERPA): Identify if the application stores or processes confidential student data protected by the Family Educational Rights and Privacy Act (FERPA).
-
Employee Data (HIPAA and Others): Identify if the application stores or processes confidential employee data protected by regulations such as the Health Insurance Portability and Accountability Act (HIPAA) or other applicable laws.
-
Other Confidential Data: Identify any other types of confidential data, such as financial data or personally identifiable information (PII), that are stored or processed by the application.
Security Information
-
Access Controls: Document the access control mechanisms implemented by the application to ensure authorized access to university data.
-
Encryption and Data Protection: Identify the encryption methods and data protection measures in place to safeguard sensitive information.
-
Secure Data Transmission: Describe the protocols and encryption standards used for secure data transmission between the application and external systems.
-
Security Incident Response: Document the application's incident response plan and procedures for addressing security incidents or breaches.
Contract-related Information
-
Contract Term Dates: Record the start and end dates of the contract for each application.
-
Renewal Dates: Capture the renewal dates of the contracts to ensure timely review and renegotiation, if necessary.
-
Annual Maintenance Escalations: Document any annual maintenance escalations, such as cost increases or service level adjustments, to track changes in vendor terms.
Recommended Fields for Vendor Inventory
The following information should be captured for each vendor in the inventory:
a. Vendor Name
b. Vendor Contact Information (including primary point of contact)
c. Vendor Escalation Points
d. Vendor Certifications and Compliance (e.g., ISO, SOC, PCI DSS)
e. Vendor Security Practices and Controls
f. Vendor Financial Stability and Performance
g. Vendor References and Client Testimonials
h. Contractual Terms and Conditions
i. Service Level Agreements (SLAs)
j. Contractual Obligations for Data Confidentiality and Protection
k. Vendor Insurance Coverage (e.g., cyber liability insurance)
l. Vendor Incident Response and Business Continuity Plans
m. Vendor Performance Metrics and Reporting
n. Vendor Exit Strategy and Data Ownership Rights
Compliance and Review
- Compliance with Policies and Regulations: Ensure that each application and vendor comply with relevant policies and regulations, such as data protection laws and industry standards.
- Regular Review: Conduct periodic reviews of the application inventory and vendor information to ensure accuracy, update vendor details, and capture any changes or additions.
Training and Awareness
- Training Programs: Provide training programs to relevant staff members responsible for maintaining the application inventory and vendor management process.
- Awareness Campaigns: Conduct awareness campaigns to inform employees about the importance of maintaining an application inventory and adhering to vendor management practices.
Compliance and Enforcement
- Non-Compliance: Non-compliance with this policy may result in corrective actions, including termination of contracts or legal actions if necessary.
- Policy Review: This policy will be periodically reviewed and updated to reflect changes in technology, regulations, and best practices.
Note: This policy provides a general framework for maintaining an application inventory specific to Rockhurst University's requirements. It is advisable to consult with legal, security, and compliance professionals to customize the policy to the organization's specific needs and align it with relevant regulations and standards.
Last Review Date
07/01/2024