The purpose of this Third-Party Vendor Management Policy is to establish guidelines and procedures for the selection, engagement. and ongoing management of third-party vendors by the Archdiocese of Baltimore. This policy aims to ensure that third-patty vendors adhere to the organization’ s standards of security, privacy. and compliance to safeguard sensitive information and maintain the organization’s reputation.
This policy applies to all employees, volunteers, contractors, and any individuals affiliated with the Archdiocese of Baltimore who engage with or have responsibilities related to third-party vendors.
3.1. Due Diligence
a. Prior to engaging a third-party vendor. a thorough evaluation will be conducted to assess their qualifications, capabilities, and reliability.
b. The due diligence process will include assessing the vendor’s security practices, privacy policies, regulatory compliance, financial stability, and reputation.
3.2. Vendor Evaluation Criteria
a. Vendors must demonstrate a commitment to maintaining the highest standards of security, privacy, and ethical conduct.
b. Criteria for evaluation may include vendor experience, references, certifications, security controls, disaster recovery plans, and insurance coverage.
4.1. Security and Privacy Requirements
a. Contracts with third-patty vendors will include provisions requiring compliance with applicable security standards, regulations. and data protection laws.
b. Vendors must agree to protect the confidentiality, integrity. and availability of any sensitive information shared with them.
4.2. Data Handling and Processing
a. Vendors must agree to handle and process data in accordance with the Archdiocese of Baltimore’s data protection and privacy policies.
b. Data sharing, retention. and disposal requirements must be clearly defined in the contract.
4.3. Right to Audit
a. The organization reserves the right to conduct periodic audits or assessments of the vendor’s security controls, practices, and compliance.
b. Vendors must cooperate with any audit requests and provide necessary documentation and evidence of their security and privacy practices.
5.1. Vendor Performance Monitoring
a. Regular performance evaluations will be conducted to assess the vendor’s adherence to contractual obligations and service level agreements.
b. Monitoring activities may include reviewing security incident repo1ts, service quality assessments, and feedback from internal stakeholders.
5.2. Incident Response and Business Continuity
a. Vendors must have appropriate incident response and business continuity plans in place to minimize disruptions and mitigate potential risks.
b. The organization and the vendor will establish procedures for reporting and managing security incidents and breaches.
Only Microsoft-certified applications may be integrated or utilized within the Archdiocese’s Microsoft Azure Enterprise environment. Use of non-Microsoft-certified third-party applications is prohibited, unless a formal exception is granted per section 1000.6.4.
a. Microsoft-certified applications undergo rigorous testing, validation, and ongoing review by Microsoft to ensure compliance with security, privacy, and reliability standards.
b. Non-certified applications pose risks such as uncontrolled updates, inadequate encryption, hidden vulnerabilities, and non-compliance with regulatory obligations.
c. Restricting Azure integrations to certified apps helps maintain governance, reduce attack surface, and ensure consistency in support and incident response.
a. All requests to integrate or enable third-party applications in Azure must be submitted to the IT / Security Team for review.
b. Only applications listed in Microsoft’s official certified Azure Enterprise Applications catalog will be approved.
c. Approved applications will be documented and monitored in the organization’s vendor/integration register.
d. Periodic audits shall confirm continued compliance with certification, security updates, and alignment with enterprise policy.
a. Exceptions may be considered only with written approval from the CIO/CTO or Head of IT Security.
b. Any exception request must include a full security and compliance risk assessment (including threat modeling, encryption review, and vendor support evaluation).
c. Documented mitigation strategies must be approved and monitored for the duration of the exception.
a. Use of non-certified applications without approval constitutes a violation of this policy.
b. Violations may trigger revocation of access, removal of the application, contract review, and disciplinary action per section 1000.7 (Compliance and Consequences).
c. In case a certified application loses certification or becomes deprecated, the IT Team must evaluate alternatives or decommission the integration in a controlled manner.
Procedures will be established to ensure a smooth transition and secure retrieval of all organization-owned data and assets upon termination of the vendor relationship or contract expiration.
Failure to comply with the Third-Party Vendor Management Policy may result in contract te1111ination, legal action, or other appropriate consequences, depending on the severity and frequency of the non-compliance.
This Third-Party Vendor Management Policy will be periodically reviewed and updated to align with changing security risks, regulatory requirements, and organizational needs.
