St. Francis College · Board Portal

Program Detail

Back to Strategic Programs

Strategic Program

Third-Party Risk Management & Vendor Governance

Ensure Tier-1 vendors handling student data meet contractual and security assurance requirements

Risks: R-4, R-2

Executive Sponsor

CFO / Legal

Program Owner

Legal / Compliance + CISO

Budget

$12K-$18K Year 1

Status

Year 1 Planned

Program Objectives

  1. 1.Complete vendor inventory and Tier-1 classification by Month 3
  2. 2.Deploy security questionnaires for all SaaS platforms
  3. 3.Collect annual SOC 2 reports from Tier-1 vendors (Banner, Gecko, Zoom, Azure)
  4. 4.Update contract data handling clauses and vendor incident notification SLAs

Phase 1

Months 1-3

  • · SaaS/cloud inventory
  • · Vendor tiering by data sensitivity
  • · Tier-1 identification

Phase 2

Months 4-9

  • · Questionnaire rollout
  • · Contract clause review
  • · SOC 2 collection

Phase 3

Months 10-18

  • · Annual review cadence
  • · Automated risk scoring
  • · Vendor incident SLA enforcement

Expected Outcomes

  • 100% Tier-1 vendors assessed annually
  • Vendor risk register operational
  • ISO 27001 Annex A.15 alignment

Success Metrics

  • · Tier-1 vendors assessed %
  • · SOC 2 reports on file
  • · Contracts with breach clauses

Framework alignment

NIST Cybersecurity Framework 2.0 · Primary governance structure
ISO/IEC 27001:2022 · ISMS design principles
FERPA · Mandatory compliance
NY SHIELD Act · State regulatory requirement
CISA Education Sector Guidance · Baseline posture reference

St. Francis College Cybersecurity Governance Portal · CYB 6010 Cybersecurity Strategy · June 2026 · For executive and board use