- Department informs Information Technology of the need for a new technology solution
- This is requested by submitting a ticket to helpdesk with the request for consulting services
- A member of the IT department will assist the requestor by providing consultation and help guide the vendor/product selection process (see ‘Qualifier Questions’ below)
- After a solution is identified as a potential fit, the requestor will fill out the Vendor Risk Assessment Form.
- A Higher Education Community Vendor Assessment Tool (HECVAT) will be required per the below guidelines:
- FULL - if Level 1 Restricted or Level 2 Sensitive Data is identified
- LITE - If Level 3 Internal
- NONE - If Level 4 Public data is identified
- Information Security reviews submitted Vendor Pre-Engagement Form, HECVAT, and any other submitted security documentation. As part of this step Information Security will:
- Ask any follow-up questions to the requestor
- Ask any follow-up questions to the vendor.
- Request any additional information/documentation required to complete the review.
- Finalize a Vendor Risk Assessment Findings Report (Sample)
- Share completed Vendor Risk Findings Report with a team member for Peer Review.
- Once Vendor Risk Findings document is complete, document will be shared with:
- Requesting Department
- OGC
Steps 2-5 will be completed in an average of 30 days
Do I need to complete a vendor risk assessment?
Qualifier Questions
“Do I need to complete a vendor risk assessment for this product/tool/vendor?” or other inquiries regarding the need for Vendor Risk Assessments.
To assist in answering this question, please answer the following qualifying questions:
- Is this related to a new product/service or a contract renewal?
- Can you please describe the services being provided, including the institutional data the vendor will be able to access?
- Will use of this product/system involve the transmission or storage of University data?
- What Data Classification does the data stored or transmitted fall under? Is the data stored and/or transmitted Level 1 Restricted or Level 2 Sensitive data (based on Data Classifications from the University’s Data Governance Policy)
- Is there a statement of work for this agreement? If so, can you please share this with us?
When determining whether the proposed vendor, product, or service requires a Vendor Risk Assessment, the below table is used to determine the type of Vendor Risk Assessment to be completed. This applies to both new vendors/services/products and those that are due for renewal.
|
Existing Product/Contract Renewal |
Transmission/Storage of University Data |
None |
No VRA |
No VRA |
Level 4 - Public |
No VRA |
No VRA |
Level 3 - Internal |
No VRA |
Partial VRA |
Level 2 - Sensitive |
Full VRA |
Full VRA |
Level 1 - Restricted |
Full VRA |
Full VRA |
Description of Assessment Types
- Full Vendor Risk Assessment - a full Vendor Risk Assessment (VRA) is completed in situations where entering into a partnership or using a product/service presents medium to high-risk to University data and systems. This type of assessment requires the below documentation to be obtained and review by the Information Security Team:
- Vendor Risk Assessment Form
- Higher Education Community Vendor Assessment Toolkit (HECVAT) - Full
- Responses to follow-up questions addressed to both the University Sponsor and/or the Vendor.
- Any supporting documentation from the vendor requested by the Information Security Team at the time of review.
- Partial Vendor Risk Assessment - a Partial Vendor Risk Assessment (VRA) is completed in situations where entering into a partnership or using a product/service presents low-risk to University data and systems. This type of VRA requires the below documentation to be obtained and reviewed by the Information Security Team:
- Vendor Risk Assessment Form
- Higher Education Community Vendor Assessment Toolkit (HECVAT) - Lite
- Responses to follow-up questions addressed to both the University sponsor and/or the Vendor.
- No Vendor Risk Assessment - in situations where entering into a partnership or using a product/service presents no risk to University data and systems, no Vendor Risk Assessment needs to be completed. This type of VRA does not require the collection or review of forms/documentation outside of the qualifier questions asked at initial engagement.
It should be noted that a Vendor Risk Assessment may be required should the scope of use for the associated products or services change. At the time of contract renewal or the addition of services or features, the University sponsor should notify the Information Technology team by contacting the Help Desk.
What if I am completing a renewal?
Qualifier Questions to Requestor
- Will the scope of data or the scope of use for this vendor be changing with this renewal? If yes, please explain in detail.
- Has a Vendor Risk Assessment for this vendor been completed previously?
- Has the vendor previously provided a HECVAT for review by the University?
If the scope of data or use of the product/services provided by this vendor changes in a manner that increases risk to the University, a new Vendor Risk Assessment must be completed. Additionally, if the vendor did not previously provide a completed HECVAT or the required HECVAT type (determined by the level of University data involved in the agreement) and/or a Vendor Risk Assessment Findings Report was not previously completed, a new Vendor Risk Assessment must be completed.
Qualifier Questions to Vendor (for HECVAT Request)
- Over the past year (since initial agreement start or most recent renewal), have there been any significant changes to your environment or provided product/services that impacts the security posture of you, your product, our University systems, and/or University data?
- Has a revised/updated HECVAT been completed?
- If there is not a revised/updated HECVAT, are all of the responses in the existing HECVAT accurate? Or, do they require updates?
- Have any other security policies, procedures, or certifications changed for your organization over the past year?
If the vendor answers ‘Yes’ to any of the questions above, a new/updated HECVAT must be provided and a new Vendor Risk Assessment should be completed with a new Vendor Risk Assessment Findings Report.
If the vendor answers ‘No’ to all of the questions above and the vendor has not provided a new HECVAT for this agreement in the past 3-years, a new HECVAT must be submitted and reviewed along with the completion of a new Vendor Risk Assessment Findings Report.
Comments
0 comments
Article is closed for comments.