1. Policy
Issued: May 3, 2019
Last Revised: August 1, 2025
Last Reviewed: August 1, 2025
Applies to: Faculty (including part-time, adjunct and visiting faculty), postdoctoral scholars, staff and student workers (including graduate/undergraduate student workers and graduate assistants) employed by University of Southern California (“USC“ or the “University“) and including those working for the University’s health system (“USC Employees”); third parties including vendors, affiliates, consultants, and contractors when using USC-Owned Technology Resources; iVIP (guests with electronic access) as well as any other users of USC-Owned Technology Resources, including retirees, independent contractors, or others (e.g., temporary agency employees) who may be given access on a temporary basis to University systems. This policy continues to apply to individuals who are on sabbatical or other leaves, or who are visiting other institutions.
2. Policy Purpose
This Third-Party Security Risk Management Policy establishes university security requirements for the use of third-party services, products or related processes that:
• Handle USC information; either by accessing, storing, processing, transmitting, or receiving data, for hardware and software products, support and maintenance, service or solution providers, and Information Technology (IT) services.
• Maintain a separate, but trusted network connected, to the USC network and provide services for, on behalf of, or in conjunction with USC.
3. Scope and Application
This policy identifies the minimum requirements for third-party security risk management activities for all USC departments, schools, and units (DSU) inclusive of Keck Medical affiliates, retirees, emeriti, consultants, etc. who have access to USC technology resources, including USC email, as well as any other users of the USC network infrastructure, including independent contractors or others (e.g., temporary agency employees) who may be given access on a temporary basis to University systems.
4. Definitions
| Term | Definition |
|---|---|
| Business Associates Agreement (BAA) | A legal document between a healthcare provider and a contractor, when that vendor might receive access to Protected Health Information (PHI) |
| Confidential | Data that includes regulated or sensitive information requiring compliance efforts if accessed by unauthorized parties or which could cause legal, financial, reputational, or operational harm if disclosed. |
| Data Security Addendum (DSA) | A legal document used during the procurement process that is designed to safeguard and limit the unauthorized disclosure and use of personal information and proprietary technical data between a vendor and USC |
| High Value Information (HVI) | USC information systems that create, process, transmit or store High Value Information (HVI) |
| Internal Use Only | Data that includes all information used to conduct USC business, unless categorized as “Confidential” or “Public” |
| Protected Health Information (PHI) | Also referred to as personal health information, generally refers to demographic information, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care |
| Third-Party | Any outside individual or entity who is not a university student, faculty or staff employee who contractually interacts with or on behalf of USC. This includes but is not limited to vendors, consultants, contractors, and research and business partners |
| Third-Party Relationship Owner (TPRO) | The individual responsible for establishing and managing the interactions between a third-party and USC |
| USC-Owned Technology Resources | Technology resources owned, licensed, or developed by USC, including but not limited to: network-based communication services (USC networks, email accounts, instant messaging platforms, and cloud-based repositories); USC-issued computers and electronic devices (desktops, laptops, mobile phones, tablets, servers, satellite phones, and pagers) purchased or leased using university funds; and any USC-developed or licensed software. |
5. Policy Details
Objective
The objective of this policy is to safeguard and preserve an environment that encourages academic and research collaboration through the management of third parties to ensure responsible safeguard and use of USC information.
Policy Requirements
5.1 USC Office of Cybersecurity must maintain defined cybersecurity criteria for third-party services, products or related processes handling Confidential data, as defined by the Data Protection Policy.
5.2 Prior to the initial third-party service, product or related processes, handling or storing USC Confidential data, the Third-Party Relationship Owner (TPRO) will request that USC Office of Cybersecurity assess security practices of the third party.
5.3 The Third-Party Relationship Owner (TPRO) will adhere to cybersecurity requirements relating to USC’s Confidential information assets, as defined by the Data Protection Policy, being accessed, stored, analyzed, processed, or transmitted by third party services, products or offerings. The TPRO will also obtain a Data Security Addendum (DSA) with the third party that handles, stores or transmits Confidential data and consult with the Office of Ethics and Compliance regarding whether a Business Associates Agreement (BAA) is needed for information assets related to Protected Health Information (PHI). The DSA and BAA must use USC’s pre-approved templates unless approved by the Office of Ethics and Compliance or the Office of the General Counsel.
5.4 The Third-Party Relationship Owner (TPRO) is required to confirm with the Office of General Counsel that a binding Non-Disclosure Agreement (NDA) or appropriate contractual language (e.g., data confidentiality requirements) is in place prior to a third-party handling data which is not “Public”, as defined by the Data Protection Policy.
5.5 USC Office of Cybersecurity will monitor and periodically assess third-party cybersecurity practices for third-party services, products or related processes handling, storing or accessing Confidential data or High Value Information (HVI), or vendors deemed critical by the University.
5.6 Third Party Relationship Owners will work with USC Office of Cybersecurity to monitor and reassess third party cybersecurity practices in a timely manner.
5.7 New and existing third parties will be assessed and monitored for cybersecurity risks by USC Office of Cybersecurity.
5.7.1 Third parties flagged with high or critical security risk ratings will be escalated to local department, school, or unit leadership (i.e., SVP and/or Dean) and the USC Chief Information Security Officer for review.
5.8 Procurement will collect and maintain up-to-date third-party information, including the following:
- Third-party contact information
- Third-party relationship owner and represented School/Unit
- Third-party associated website(s)
6. Procedures
N/A
7. Forms
N/A
8. Responsibilities
| POSITION or OFFICE | RESPONSIBILITIES |
|---|---|
| USC Office of Cybersecurity | 1. Develop and review exceptions to the policy 2. Monitor activity relative to the policy requirements as well as provide periodic communications and training designed to support the policy and related procedures, as needed |
| USC Personnel | 1. Understand and comply with this policy 2. In any situations where it is not clear if the actions being contemplated are permitted, seek guidance from their supervisor or USC Office of Cybersecurity |
| SVPs, Deans, Department Chairs and Supervisors/Managers of departments, schools, and units | 1. Set expectations with USC Personnel to comply with this policy |
9. Related Information
Compliance Measurement
The USC Office of Cybersecurity and the Office of Audit Services will collectively monitor compliance with this policy, USC’s cybersecurity policies and standards, and applicable federal and state laws and regulations using various methods, including but not limited to periodic policy attestations. Compliance with cybersecurity policies will be monitored regularly in conjunction with USC’s monitoring of its cybersecurity program. Audit Services will conduct periodic internal audits to ensure compliance.
Exceptions
Any requested exceptions to the policy will be submitted to secgovrn@usc.edu and evaluated in accordance with the decision criteria defined by the USC Office of Cybersecurity issues and exceptions management processes.
Non-Compliance
Violation of this policy may lead to this being classified as serious misconduct, which is grounds for discipline in accordance with the Faculty Handbook, staff employment policies, and the Student Handbook, as appropriate. Any disciplinary action under this policy will consider the severity of the offense and the individual’s intent and could include termination of access to the USC network, USC systems and/or applications, as well as employment actions up to and including termination, and student disciplinary actions up to and including expulsion.
10. Contacts
Please direct any questions regarding this policy to:
| OFFICE | PHONE | |
|---|---|---|
| USC Office of Cybersecurity | trojansecure@usc.edu |