56.10.08 - Vendor Access

Return to policies website


To list vendors’ requirements prior to gaining access to IT resources.


This policy will be reviewed once a year by the director of Systems and Network Operations and the information security officer (ISO) and will be approved by the chief information officer (CIO).


Vendor access to Data Centers, IT rooms, and resources requires approval and authorization by the CIO. Access requests will be reviewed and implemented based on business needs, job functions, and responsibilities. Logs will be maintained on all vendor access to resources.

Vendors must execute non-disclosure and business associate agreements (BAAs) with the institution prior to accessing the TTUHSC El Paso network and resources to ensure that any confidential information, whether intentionally or unintentionally accessed, is properly protected. Vendor credentials should not be active for more than a year, and access should be granted through active directory security groups.

BAAs should be renewed on a yearly basis.