What is the term used to describe the connectivity between an organization and third party?

Glossary Comments

Comments about specific definitions should be sent to the authors of the linked Source publication. For NIST publications, an email is usually found within the document.

Comments about the glossary's presentation and functionality should be sent to .

See NISTIR 7298 Rev. 3 for additional details.

This Third Party Network Connection Agreement (the “Agreement”) by and between Appalachian State University, a University of North Carolina institution, with principal offices at Boone, North Carolina, (“Appalachian State University”) and ______________________ , a ________________ corporation, with principal offices at _____________________________ (“Company”), is entered into as of the date last written below (“the Effective Date”).

This Agreement consists of this signature page and the following attachments that are incorporated into this Agreement by this reference:

1. Attachment 1: Third Party Network Connection Agreement Terms and Conditions
2. Attachment 2: Network Connection Procedure
3. Attachment 3: Third Party Connection Request - Information Requirements Document

This Agreement is the complete agreement between the parties hereto concerning the subject matter of this Agreement and replaces any prior oral or written communications between the parties. There are no conditions, understandings, agreements, representations, or warranties, expressed or implied, which are not specified herein. This Agreement may only be modified by a written document executed by the parties hereto. Any disputes arising out of or in connection with this Agreement shall be governed by North Carolina law without regard to choice of law provisions.

IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be duly executed. Each party warrants and represents that its respective signatories whose signatures appear below have been and are on the date of signature duly authorized to execute this Agreement.

Attachment 1

Third Party Connection Agreement - Terms and Conditions

Object: To ensure that a secure method of connectivity is provided between Appalachian State University and Company and to provide guidelines for the use of network and computing resources associated with the Network Connection as defined below.

Definition: "Network Connection" means one of the Appalachian State University connectivity options listed in Section B of the Network Connection Procedure.

1. Right to Use Network Connection. Company may only use the Network Connection for business purposes as outlined by the Third Party Connection Request - Information Requirements Document.

2. Appalachian State University-Owned Equipment.

2.1 Company may modify the configuration of Appalachian State University-Owned Equipment only after notification and approval in writing by authorized Appalachian State University personnel.

2.2 Company will not change or delete any passwords set on Appalachian State University-Owned Equipment without prior approval by authorized Appalachian State University personnel. Promptly upon any such change, Company shall provide Appalachian State University with such changed password.

3. Network Security.

3.1 Company will allow only Company employees approved in advance by Appalachian State University (“Authorized Company Employees”) to access the Network Connection or any Appalachian State University-Owned Equipment. Company shall be solely responsible for ensuring that Authorized Company Employees are not security risks, and upon Appalachian State University’s request, Company will provide Appalachian State University with any information reasonably necessary for Appalachian State University to evaluate security issues relating to any Authorized Company Employee.

3.2 Company will promptly notify Appalachian State University whenever any Authorized Company Employee leaves Company’s employ or no longer requires access to the Network Connection or Appalachian State University-Owned Equipment.

3.3 Each party will be solely responsible for the selection, implementation, and maintenance of security procedures and policies that are sufficient to ensure that (a) such party’s use of the Network Connection (and Company’s use of Appalachian State University-Owned Equipment) is secure and is used only for authorized purposes, and (b) such party’s business records and data are protected against improper access, use, loss alteration or destruction.

4. Notifications. Company shall notify Appalachian State University in writing promptly upon a change in the user base for the work performed over the Network Connection or whenever in Company’s opinion a change in the connection and/or functional requirements of the Network Connection is necessary.

5. Payment of Costs. Each party will be responsible for all costs incurred by that party under this Agreement, including, without limitation, costs for phone charges, telecommunications equipment and personnel for maintaining the Network Connection.

6. DISCLAIMER OF WARRANTIES. APPALACHIAN STATE UNIVERSITY MAKES NO WARRANTIES, EXPRESSED OR IMPLIED, CONCERNING ANY SUBJECT MATTER OF THIS AGREEMENT, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

7. LIMITATION OF LIABILITY. IN NO EVENT WILL APPALACHIAN STATE UNIVERSITY BE LIABLE TO COMPANY FOR ANY SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF USE, DATA, BUSINESS OR PROFITS) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, INCLUDING WITHOUT LIMITATION, ANY DAMAGES RESULTING FROM ANY DELAY, OMISSION OR ERROR IN THE ELECTRONIC TRANSMISSION OR RECEIPT OF DATA PURSUANT TO THIS AGREEMENT, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, AND WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

8. Confidentiality. The parties acknowledge that by reason of their relationship to each other hereunder, each will have access to certain information and materials concerning the other’s technology and products that is confidential and of substantial value to that party, which value would be impaired if such information were disclosed to third parties (“Confidential Information”). Should such Confidential Information be orally or visually disclosed, the disclosing party shall summarize the information in writing as confidential within thirty (30) days of disclosure. Each party agrees that it will not use in any way for its own account, except as provided herein, nor disclose to any third party, any such Confidential Information revealed to it by the other party. Each party will take every reasonable precaution to protect the confidentiality of such Confidential Information. Upon request by the receiving party, the disclosing party shall advise whether or not it considers any particular information or materials to be Confidential Information. The receiving party acknowledges that unauthorized use or disclosure thereof could cause the disclosing party irreparable harm that could not be compensated by monetary damages. Accordingly, each party agrees that the other will be entitled to seek injunctive and preliminary relief to remedy any actual or threatened unauthorized use or disclosure of such other party’s Confidential Information. The receiving party’s obligation of confidentiality shall not apply to information that: (a) is already known to the receiving party or is publicly available at the time of disclosure; (b) is disclosed to the receiving party by a third party who is not in breach of an obligation of confidentiality to the party to this agreement which is claiming a proprietary right in such information; or (c) becomes publicly available after disclosure through no fault of the receiving party.

9. Term, Termination and Survival. This Agreement will remain in effect until terminated by either party. Either party may terminate this agreement for convenience by providing not less than thirty (30) days prior written notice, which notice will specify the effective date of termination. Either party may also terminate this Agreement immediately upon the other party’s breach of this Agreement. Sections 5, 6, 7, 8, 10.1 and 10.2 shall survive any termination of this Agreement.

10. MISCELLANEOUS.

10.1 Severability. If for any reason a court of competent jurisdiction finds any provision or portion of this Agreement to be unenforceable, that provision of the Agreement will be enforced to the maximum extent permissible so as to effect the intent of the parties, and the remainder of this Agreement will continue in full force and effect.

10.2 Waiver. The failure of any party to enforce any of the provisions of this Agreement will not be construed to be a waiver of the right of such party thereafter to enforce such provisions.

10.3 Assignment. Neither party may assign this Agreement, in whole or in part, without the other party’s prior written consent. Any attempt to assign this Agreement, without such consent, will be null and of no effect. Subject to the foregoing, this Agreement is for the benefit of and will be binding upon the parties' respective successors and permitted assigns.

10.4 Force Majeure. Neither party will be liable for any failure to perform its obligations in connection with any transaction or any document if such failure results from any act of God or other cause beyond such party's reasonable control (including, without limitation, any mechanical, electronic or communications failure) which prevents such party from transmitting or receiving any documents.

Attachment 2

Network Connection Procedure

Purpose: To ensure that a secure method of network connectivity between Appalachian State University and all third parties and to provide a formalized method for the request, approval and tracking of such connections.

Scope: External company data network connections to Appalachian State University can create potential security exposures if not administered and managed correctly and consistently. These exposures may include non-approved methods of connection to the Appalachian State University network, the inability to shut down access in the event of a security breach, and exposure to hacking attempts. Therefore, all external company data network connections will be via the Appalachian State University Third Party VPN Network. This Procedure applies to all new Third Party Network Connection requests and any existing Third Party Network Connections. When existing Third Party Network Connections do not meet all of the guidelines and requirements outlined in this document, they will be re-engineered as needed

Definitions: A "Network Connection" is defined as one of the connectivity options listed in Section B. below. “Third Parties” is defined as Appalachian State University Vendors, Suppliers and the like.

A. Third-Party Connection Requests and Approvals

All requests for Third Party connections must be made using the appropriate method based on the support organization. [Add text about the specific support methods if needed]

The required information is outlined in the Third Party Connection Request - Information Requirements Document (See Attachment 3 of this document). All information requested on this form must be completed prior to approval and sign off. It is Company’s responsibility to ensure that Company has provided all of the necessary information and that such information is correct.

All Third Party connection requests must have an Appalachian State University CIO level signature for approval.

As a part of the request and approval process, the technical and administrative contact within Company’s organization or someone at a higher level within Company will be required to read and sign the "Third Party Connection Agreement " and any additional documents.

B. Connectivity Options

The following three connectivity options are the standard methods of providing a Third Party Network Connection. Anything that deviates from these standard methods must have a waiver sign-off at the Appalachian State University CIO level.

1. Encrypted Virtual Private Networks (VPN) tunnels must be used to access Appalachian State University Trusted devices when the connection is initiated from the Company’s device from off campus.
2. A VPN tunnel is not required when connections are initiated from the Appalachian State University Trusted device on campus to other devices.
3. This agreement must be executed for all Third Party Network Connections to or from Appalachian State University equipment that require “Root Level” or Administrator access.

C. Services Provided

In general, services provided over Third Party Network Connections should be limited only to those services needed, and only to those devices needed. Blanket access will not be provided for anyone. The default Procedure position is to deny all access and then only allow those specific services that are needed and approved by Appalachian State University pursuant to the established procedure.

In no case shall a Third Party Network Connection to Appalachian State University be used as the Internet connection for the Third Party.

D. Authentication for Third Party Network Connections

Third Party Network Connections made via VPN tunnels will be authenticated using the Third party Authentication database maintained by Appalachian State University Information Technology Services.

E. Protection of Company Private Information and Resources

The Appalachian State University network support group responsible for the installation and configuration of a specific Third Party Connection must ensure that all possible measures have been taken to protect the integrity and privacy of Appalachian State University confidential information. At no time should Appalachian State University rely on access/authorization control mechanisms at the Third Party’s site to protect or prohibit access to Appalachian State University confidential information.

Appalachian State University shall not have any responsibility for ensuring the protection of Third Party information. The Third Party shall be entirely responsible for providing the appropriate security measures to ensure protection of its private internal network and information.

F. Audit and Review of Third Party Network Connections

All aspects of Third Party Network Connections - up to, but not including Company’s firewall, will be monitored by the appropriate Appalachian State University network support group. Where possible, automated tools will be used to accomplish the auditing tasks.

G. Appalachian State University ITS Network Infrastructure and Control Systems

The ITS Network Infrastructure and Control Systems Group is responsible for all global firewall design, configuration and engineering required for network access.

Attachment 3

Third Party Connection Request - Information Requirements Document

In accordance with the Network Connection Procedure, all requests for Third Party Network Connections must be accompanied by this completed Information Requirements Document. This document should be completed by the Appalachian State University person or group (sponsor) requesting the Network Connection.

A. Contact Information

Appalachian State University Requester Information
Name:
Department Number:
Manager's Name:
Director's Name:
Phone Number:
Email Address:

Appalachian State University Technical Contact Information
Name:
Department:
Manager's Name:
Director's Name:
Phone Number:
Pager Number:
Email Address

Appalachian State University Back-up Point of Contact:
Name:
Department:
Manager's Name:
Director's Name:
Phone Number:
Pager Number:
Email Address

B. Problem Statement/Purpose of Connection

What is the desired end result? Company must include a statement about the business needs of the proposed connection.

C. Scope of Needs (In some cases, the scope of needs may be jointly determined by the supporting organization and the Third Party.)

What services are needed? (See Section C. of Network Connection Procedure)
What are the bandwidth needs?
How long is the connection needed?
Future requirements, if any.

D. Third Party Information

Third Party Name
Management contact (Name, Phone number, Email address)
Location (address) of termination point of the Network Connection (including building number, floor and room number)
Main phone number
Local Technical Support Hours (7X24, etc).
Host/domain names of the Third Party
Names (Email addresses, phone numbers) of all employees of the Third Party who will use this access. If not appropriate to list the names of all employees, then provide a count of the number of employees who will be using the connection.

E. What type of work will be done over the Network Connection?

What applications will be used?
What type of data transfers will be done?
How many files are involved?
What are the estimated hours and frequency of use?

F. Are there any known issues such as special services that are required? Are there any unknown issues at this point, such as what internal Appalachian State University services are needed?

G. What is the requested date to begin using this connection? (Minimum lead-time is 5 work days from receipt of executed copy by Appalachian State University ITS Network Infrastructure and Control Systems)

H. What is the approximate duration of the Third Party Network Connection?

I. Are there any existing Network Connections at Appalachian State University with this company?

J. Other useful information

What is third party connectivity?

What is a third party service organization?

What is a third party company called?

What is the most accurate definition that describes a third party?