The URL can be used to link to this page

Home My WebLink AboutAdministrative Order 2022-03 Adoption of Vendor Access Policy V 9x � f L• et4r,N 400. Administrative Order 2022-03 Adoption of City of Bozeman Vendor Access Policy Pursuant to my authority as City Manager,I hereby adopt the City of Bozeman Vendor Access Policy attached hereto as Attachment A. DATED this o2, — day of 52022. )6ff Ihelich, Bozeman City Manager l � 1 �I I s-' I F •.., rT . f T - i �• 1 I � Vendor Access Policy 1 Vendor Access Policy 1. Overview Vendor-Any business that sells goods or services to the City of Bozeman. Vendors play an important role in the support of hardware, software and operations for the City of Bozeman (the"COB"). Setting appropriate limits and controls on what can be seen, copied, modified, and controlled by vendors reduces the risk of exposure, breaches, liability, loss of trust and reputation to COB. 2. Purpose This policy establishes vendor requirements and procedures that address access to information resources, support services, vendor responsibilities, and protection of COB information. 3. Scope This policy applies to all vendors that remotely connect to any COB technology resources. 4. Policy A. GENERAL Vendors and staff must comply with this policy and the procedures specified herein. B. COB RESPONSIBILITIES The COB IT Department will implement and maintain a list of vendors and the users authorized by the IT Department to access COB information resources. This list must specify: Resources that the vendor accesses. Security measures vendor will take to protect COB data. COB Contact COB will provide a COB IT point of contact for the vendor as part of its normal operating procedure. The point of contact will work with the vendor to make certain they are in compliance with this and other COB policies. IT Security Policies Vendor Access Policy 12 C.VENDOR RESPONSIBILITIES Vendors must comply with the following procedures as part of their COB working relationship. The COB may require documentation or other evidence of a vendor's compliance with these requirements. Access—Access to COB systems will require the following: Software -The vendor must use the VPN and Multi-Factor Authentication components specified by COB if an always on VPN tunnel (a VPN network connection to the COB that is always on and is established by connecting a vendor's networking hardware to the City's networking hardware) has not been established. Always on VPN Tunnels— Upon termination of contract or at the request of COB, vendor VPN tunnel configurations that facilitate connectivity to COB will be removed from vendor's networking equipment and the vendor must cease all attempts to connect to COB resources. Ad Hoc VPN connections - Upon termination of contract or at the request of COB, the vendor must cease all attempts to connect to COB resources. COB IT will have to enable vendor accounts prior to each use. Sub-Contractor Access—Vendors that have agreements with COB cannot authorize sub-contractor access to COB Information resources without written permission from COB. Sub-contractors cannot use the Primary Vendor's access permissions. Vendors must work directly with COB to get Sub-contractors authorized access. The Sub- contractor will be required to comply with all COB policies established with the primary vendor. Vendor Contact—Vendor must provide a point of contact that will provide a list of up to three authorized users. User Departure— If a user that is authorized to connect to COB departs for any reason, the vendor must contact COB immediately so COB can remove the account for that user. Anti Virus—Vendor must have up to date antivirus protection in place and active on all devices used to connect to COB resources. Operating Systems—All devices used to connect to COB resources must be running a supported operating system version that has up to date patches. Incident Reporting —Vendors must report all security incidents that could impact COB, to the COB IT Director or designee within 24 hours. Personally Identifiable Information--Access to and storage of any PI I or other confidential information must comply with all applicable laws. Upon termination of a vendor for any reason, the vendor shall ensure that all sensitive information, including PII, is collected and returned to COB or destroyed within a timeframe determined in the original contract terms. IT Security Policies Vendor Access Policy 13 5. Enforcement Vendors found in violation of this policy may face termination of unsupervised access to COB systems or termination of the contract. 6. Distribution This policy is to be distributed to all COB staff responsible for vendor management. 7. Policy Version History Version Date Description Approved By 1.0 04/27/2022 Initial Policy Drafted Scott McMahan IT Security Policies i I