The Vendor Risk Assessment Form is used to capture details about a prospective vendor or service provider and the sensitivity of the institutional data the vendor will receive and use.

This form must be completed for any engagement with a new vendor that will

1. Have access to University data (processing, transmitting, and/or storage).
2. Provide a tool that integrates with other University systems or hardware.

In addition to new vendors, this form must also be completed if there is a renewal/change in an existing contract that involves change of services to be offered.

In addition to the completion of this form, we require a Higher Education Community Vendor Assessment Toolkit (HECVAT) be completed and provided by the vendor.

This will be used to determine the risk of using the vendor as it pertains to data and system security and will be used to create a Vendor Risk Assessment Findings Report in order to help your department assess whether the risks associated with engaging this vendor are tolerable for your department and Arcadia University as a whole.

The inherent risk associated with engaging the vendor is determined by:

1. The type of data provided to the vendor;
2. The volume of overall records;
3. The level of access granted to the vendor or service; and
4. any other details that may impact the designation, such as the vendor's privacy and security policies and relevant contractual terms, including those which allocate risk and responsibility between the vendor and the University.

This risk is assessed via the IT department, in coordination with the Office of General Counsel, the department, and the vendor.

We understand that our University partners have varying levels of comfort when it comes to understanding issues related to data privacy and security. Please answer these questions as completely as you are able.

The review process, from submission of this form and receipt of Vendor Risk Assessment Findings Report, may take up to 30 days to complete.

To assist in the completion of this form, we have created instructions that can be found at this link.

If you have any questions, please feel free to contact the Help Desk.

To complete the Vendor Risk Assessment Form, please click here.

Resources:

Data Classification Levels

Level 1, Restricted: University data that is protected by federal, state, or local laws and regulations, industry regulations, or provisions in government research grants or other contractual arrangements, which impose legal and technical restrictions on the appropriate use of institutional information. Examples of restricted data include but are not limited to: non-directory student educational records, Social Security numbers, credit card numbers, health records, and some combinations of personal information (e.g. the combination of name and financial account information).

Level 2, Sensitive: University data that may not be protected by law, regulation, or contract but is considered private and is subject to special treatment. Examples of Level 2 data include but are not limited to: personal information and any other information that Arcadia University has agreed or decided to keep private.

Level 3, Internal: University data that is proprietary or produced only for use by Arcadia University Data Users who have a legitimate purpose to access such data. Examples of Level 3 data include but are not limited to: financial and budget information of Arcadia University prior to publication.

Level 4, Public: University data and institutional information that has few restrictions and/or is intended for public use. An example of public data includes the Arcadia University website.