5 Building Positive Relationships with Vendors

Basics

Your district is likely to rely on services from a range of vendors. There can be great value in having work completed by certified specialists, especially in areas that would take district staff too long to become proficient with or in smaller IT departments. Any vendor that provides service to your organization should be fully evaluated, especially for their capacity to ensure sensitive information is kept secure and not made open to compromise. Vendors who have access to confidential data, whether it is employee records, financial data, student information, or others should ensure they can adhere to the same data security requirements and laws that govern the district.

You should know the following terms:

  • Security requirements

Know Your Vendors

CIS Critical Security Control 15, Service Provider Managements, notes that organizations should establish and maintain an inventory of all known service providers that includes a designated contact for each. This should include all vendors who are responsible for all equipment, including hardware, HVAC, security, phones, and other systems. Use this inventory to identify and confirm approved vendors in your buildings and in your infrastructure.

Your district should also have a service provider management policy that addresses the classification, inventory, assessment, monitoring, and decommissioning (offboarding) of all vendors with whom your IT department interacts with. Service providers can be classified by one or more characteristics, such as access to sensitive data, the volume of data they interact with, availability requirements, regulations, inherent risk and mitigated risk. Security requirements are especially important to document for each service provider. Security requirements may include minimum security requirements, procedures for notification and response in the case of a security incident or data breach, data encryption requirements, and requirements for data disposal.

The service provider inventory, policies, and classifications should be reviewed and updated periodically, at least annually, or after a significant change to services occurs. As with employees and students, when vendors no longer require access to your systems, vendor credentials should be offboarded as soon as they are no longer required following your district’s SOP.

CISA (2023) advises that school districts should expect that the technology vendors they rely on for critical services, like learning management and student information systems, have strong security controls enabled by default for no additional charge. They note that vendors should not charge more for security features, like MFA and logs, or for connecting a service such as a financial or time-keeping system to a district’s Single Sign On (SSO) portal. CISA encourages schools and districts to work together to advocate against charges for security features or unsafe default settings, encouraging dialog with technology vendors. Your district can also reach out to a regional cybersecurity advisor from CISA when these situations are discovered.

Working with Vendors

What is your role when vendors email, call, or visit your campuses? It’s likely their visits will be coordinated and approved by IT Directors or others, but you may be asked to meet or otherwise interact with a vendor and provide them access to buildings, devices, or confirm credentials for network access. Use your district’s inventory of service providers to verify any vendor before they are given access to any part of your infrastructure.

On campus, you may be asked to greet and escort vendors to approved work areas. Know any building requirements for allowing vendors on-site and be sure to follow SOP when accessing critical areas, such as network closets or server rooms. 

You may be asked to complete tasks for a vendor who is not physically in a district building. Be especially diligent about confirming you know whom you are speaking with and that it is a trusted and verified vendor representative. Be especially cautious of anyone claiming to be a vendor representative that asks you to act in a way that violates any appropriate security protocols, such as bypassing multi-factor authorization or sharing credentials for any user on your system. (See Attacks on Multi-factor Authorization for examples of how cybercriminals may pretend to be a known vendor and obtain confidential information.) If the caller seems overly insistent or pushy, check with a supervisor to confirm that the vendor and request are legitimate.

Remote Management

Know how vendors can remotely manage their systems
Know who is monitoring/maintaining those remote access solutions

Default Settings

Vendors may be called upon to install new devices or applications in your infrastructure. The default credentials on vendor devices are notoriously weak, such as the username “admin” and the password “password.” If you are assigned to work with a vendor, know the standard operating procedure to change those credentials and how they will be documented. Will you or the vendor change them? Where will you record the new credentials so that others in your department can access the device or system, when necessary?

Here are additional resources you may find useful:

Complete the following task or self-assessment:

Determine how your department tracks approved vendors, whether that is through an inventory or other means.

  • What kind of information is kept in the inventory?
  • How often is it reviewed, updated, and culled?
  • Which systems do vendors have access to on your infrastructure, whether physically when on site or through remote access?