Close menu Resources for... William & Mary
W&M menu close William & Mary

Vendor Hosted Application Policy

Title: Vendor Hosted Application Policy
Effective Date: 2017
Responsible Office: Information Technology
Lasted Updated: August 30, 2024

Policy

This policy governs the use of vendor hosted applications (also referred to as Software-as-a-Service or SaaS apps).  It is intended to ensure that sensitive data is secured when transmitted to and stored by a third-party vendor.

Scope

This policy applies to applications hosted by third-party vendors storing sensitive William & Mary data.

Definitions
Sensitive Data

Sensitive data is highly confidential and/or personal information protected by statutes, regulations, university policies or contractual language which, if exposed or breached, could result in legal damages, fines/penalties, identity theft and/or financial fraud.  Data stewards may also designate data as sensitive if it requires the same level of protection.  Data elements defined as sensitive include:

  1. Social security numbers
  2. Driver's license numbers
  3. Credit/debit card numbers
  4. Passport numbers
  5. Federal ID numbers
  6. Student financial aid data
  7. Financial data that informs the university's end-of-year financial statements
  8. Employee health records protected by Virginia Health Records Privacy Act
  9. System account credentials

Sensitive data does not include William & Mary directory or data that is made public by the university.  Furthermore, the university has no obligation to protect an individual's personal information if the personal information is provided to a third-party by another supplier without the involvement of the university.

Protected Data

Protected Data is information that is protected by statutes, regulations, university policies, or contractual language but which does not carry the same level of risk as Sensitive Data.  By way of illustration only, some examples of Protected Data include:

  1. Student education records protected by the Family Educational Rights and Privacy Act (FERPA).  Under FERPA, education records are any documents, files, and/or other materials that contain information directly related to a student, are personally identifiable that student, and are maintained by the university or a university agent.  FERPA designates several types of records that are exceptions to this definition, including law enforcement records and medical and treatment records.  These records include but not limited to grades, transcripts, class lists, student course schedules, contact and family information, student health records, student financial information (at the postsecondary level), and student discipline files.  The information may be recorded in any way, including, but not limited to, handwriting, print, computer media, videotape, film, microfiche, and e-mail.  For more information contact the University Registrar at [[w|ferpa]] or visit the University Registrar website.
  2. Personal information and/or giving history collected from a donor, alumnus, or another individual.
  3. Employment or non-identifiable personnel data.
  4. Banner 93 numbers.
  5. Performance Evaluations.

In the case where a discrepancy exists between the definitions provided here and the university's official Data Classification Policy, the Data Classification Policy takes precedence.

Policy

The university requires that all third-party suppliers hosting sensitive and/or protected data undergo a security review.  The security review requires at a minimum a risk assessment of the application hoisting providers' information security program and controls and a digital accessibility assessment.  For hosted applications with protected data the university will obtain and review the Higher Education Cloud Vendor Assessment.  For hosted applications with sensitive data a more rigorous review is required including an independent assessment of hate hosting providers' security program into he form of a SOC 2 type 2 report.  Vendors and hosted applications that cannot provide the required documentation must be risk assessed with the business unit's acceptance prior to approval.  New and renewing contracts with third-party suppliers hosting ostensive data will require a contractual addendum signed by the supplier obligating it to implement an effective information security program that meets or exceeds the information security standards of the university.  Business units contracting with hosted applications storing sensitive data are required to meet with the Information Security team annually to review their obligations and responsibilities for ensure sensitive information hosted by the vendor is secured.

Non-Compliance

An employee's failure to comply with any of the above policy statements may result in being disciplined, in accordance with general university employment policies and procedures that apply to the respective category of employees.  The university may also temporarily deny access to university information systems and may refer the case to the appropriate local, state, or federal authority for further disposition.

A students's failure to comply with any of the above policy statements may result in disciplinary actions in accordance with the Student Handbook.  Depending on the nature and severity of the violation, the university may take one or more of the disciplinary actions listed under Administration of Student Code of Conduct, Section VII.  The university may also temporarily deny access to university information systems and may refer the case to the appropriate local, state, or federal authority for further disposition.