Policy 916 - Third Party Services Policy

Section: Information Technology
Policy Number: 916
Responsible Office: Business Affairs
Effective Date: 5/1/19
Revised: 5/1/19

Policy Statement

The Third Party Risk Management (TPRM) Policy, through the corresponding TPRM Program, is intended to accomplish the following key goals:

  • Provide a framework through which the University adheres to a consistent, documented process of engaging and managing Third Parties;
     
  • Maintain a reasonably complete and accurate Third Party Inventory (TPI);
     
  • Assess the suitability of using a Third Party to provide a product or service, consistent with the University’s business strategies and objectives;
     
  • Take reasonable steps to select and retain Third Party Relationships (TPRs) that are capable of maintaining appropriate safeguards for the Federal Student Aid, student, and University information;
    • Require that TPRs be governed by written contracts that clearly define the expectations and obligations of the University and each Third Party, and include provisions to protect the interests of the University and its constituents;
       
    • Engage in ongoing risk-based management of University TPRs to determine if expectations and obligations are being met, and, if performance errors or compliance infractions occur, determine whether penalties and/or remediation are warranted and/or if engagement with the Third Party should continue; and
       
    • Disengage from TPRs, when warranted.

Scope and Applicability

The TPRM Policy applies across the University, including all campuses and legal entities (collectively, the University).  Examples of TPRs that warrant ongoing risk management, as well as those that do not, include, but are not limited to the following:

Third Party Relationship (TPR) Examples

In-Scope (Warrant Ongoing Risk Management)

Out-of-Scope
(Do Not Warrant Ongoing Risk Management)

  • Activities that involve outsourced products and services

  • Service providers and platforms utilizing cloud solutions
     
  • Use of independent consultants
     
  • Networking and marketing arrangements
     
  • Real estate services where the University places faculty, staff, students, alumni, donors, and other University-related parties 
     
  • Services provided by non-wholly owned University affiliates and subsidiaries
     
  • Joint Ventures (JVs) that provide a product or service directly to the University and/or the University’s employees, students, alumni, donors, or other relationships
     
  • Other business arrangements where the University has an ongoing relationship with the Third Party
  • One-time purchases for equipment without ongoing maintenance (please see University Hardware and Software purchase guidance)
     
  • End-user computing software that is designed as a utility and where the purpose is not for data sharing (handled via End User Computing Policy)
     
  • Supplies, materials, or services (also applies to a recurring use of a Third Party for purchases without a commitment), where the duration of the relationship generally lasts 90 days or less, and the Third Party does not access University information, including that of faculty, staff, students, alumni, donors, other University related parties  or University information systems
     
  • Trade shows and professional organizations (including industry advisory groups, consortiums, member associations, professional dues, and forums)
     
  • Tax authorities and other governing bodies or government entities (e.g., the Internal Revenue Service (IRS))
     
  • Donations made to or by the University
     
  • Organizations to the extent that their sole service to the University consists of the provision of training, magazines, newsletters, bulletins, reports and reference or other materials of a similar nature that are not deemed a critical input to business processes
     
  • JVs or Strategic Alliances (SAs), where the JV or SA does not provide a product or service directly to the University and/or the University’s employees, students, alumni, donors, or other relationships 
     
  • Equity investments by the University in organizations that do not provide a product and/or service to the University
     
  • Non-sanctioned student organizations, including but not limited to fraternities and sororities
     
  • Payments made by Third Parties
     
  • Law enforcement and human life safety related organizations (interactions with Third Party, including data handling and sharing, are subject to University policies and procedures)
     
  • International recruiters (handled via HR Policies)
     
  • Organizations to the extent that their sole service to the University consists of enrollment lead generation
     
  • Mandated use of a specific Third Party, when the contract is not between the University and the Third Party (Government Agency, Grant, or otherwise – interactions with Third Party, including data handling and sharing are subject to University policies and procedures)

Where a Third Party provided product or service may, but does not expressly, require ongoing risk management, Departments are required to work with the TPRM Policy Owner to assess potential status.

Policy

The University has established a University-wide program for managing TPRs, which consists of two separate processes: (i) Standard and (ii) Alternative. Whether a TPR is managed through the standard process or through an approved alternative program, the full scope of required risk management phases articulated in this TPRM Policy must be employed.

Alternative programs involve Department management of a group of like TPRs (that provide a common product, service, activity or function) within an alternative program. Considerations for creating an alternative program may include, but are not limited to the following:

  • Whether managing the TPRs collectively provides added efficiency without creating additional risk
     
  • Whether the TPRs share similar risk characteristics so as to allow them to be risk-assessed as one
  • The ease or difficulty of terminating or replacing a TPR
     
  • Whether the TPRs are mission critical to the University
     
  • Whether the TPRs are subject to independent oversight (for example, professional license or certification)

In the course of conducting business, St. John’s University (“St. John’s” or “University”) engages Third Parties (as defined below) to:

  • Provide products or services to the University or its students, alumni, and/or other relationships;
     
  • Perform functions of the University’s operations on behalf of the University (commonly referred to as “outsourcing”); and 
     
  • Conduct business on behalf of the University or franchising the University’s attributes (e.g., using the University’s brand, name, logo, etc.).

Although the use of Third Parties can provide an effective and efficient means of accomplishing University objectives, such as increasing efficiency, revenues, offering specific knowledge or expertise, and/or providing technology, reliance on TPRs can significantly increase the University’s risk profile. 

The University recognizes that increased risk often arises from poor planning, ineffective management control and/or oversight over the Third Party, and inferior performance or service on the part of the Third Party.

When engaging a Third Party, the University will conduct appropriate risk management activities, as provided in this TPRM policy, to manage the University’s corresponding risks, including, but not limited to, reputational, financial, operational, strategic, and compliance risks. Accordingly, the decision of a University Department to engage a Third Party must be consistent with the University’s business objectives and made only after due diligence and consideration of the risks involved.

It is the policy of the University to establish and maintain comprehensive standards, procedures, and internal controls to assess, monitor, and manage TPRs and their associated risks. This TPRM policy and its related and supporting documents (collectively, the “Program”) outline the risk-based framework and management processes the University has adopted to ensure the effective oversight and risk management of TPRs.

The Program outlines the risk management process throughout the TPRM life cycle, including planning, due diligence, contracting, ongoing monitoring and management, periodic reevaluation, and termination. The Program enables the University to outline the roles and responsibilities of parties involved with TPRs. It also allows the University to properly identify Third Parties that present risk, measure the identified risks, perform thorough due diligence, provide ongoing oversight of TPRs and activities, drive consistency for management and reporting of TPRs, and manage the TPR, up to and including termination.

Definitions

The following are the definitions relevant to this policy:

A Third Party is an entity, whether or not affiliated with the University, that is in a business arrangement with the University, by contract or otherwise, that warrants ongoing risk management. 

A Third Party Relationship (TPR) is a product, service, or other engagement provided by a Third Party.

A Subcontractor / Fourth Party is an entity that is in a business arrangement with one or more of the University’s Third Parties to support the corresponding TPR. Essential Fourth Parties:

  • Support delivery of a product or service by a mission critical TPR
     
  • Receive Personally Identifiable Information (PII), and/or
     
  • Interact with faculty, staff, students, alumni, donors, and other University-related parties

Personal Identifiable Information (PII) is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Compliance

The Contract Owner is responsible for oversight of the alternative program and ensures that University protocols are followed. Questions about the alternative program should be directed to the TPRM Policy Owner in the first instance.

The TPRM Policy Owner or designee will monitor for adherence to the TPRM program. Non-adherence may be reported to the Senior Management Committee and may be subject to the University’s disciplinary processes.

Related Policies, Standards or Regulations

  • Third Party Risk Management Program 
  • End User Computing Policy
  • Accounts Payable Policy
  • Business Expense Policies and Procedures
  • Enterprise Risk Management Standards
  • Federal 3rd Party Servicers Guidelines
  • FERPA
  • Payment Card Industry Program
  • Purchasing Policies and Procedures