Vendor Risk Assessment Form
The Vendor Risk Assessment Form (VRAF) is used to capture details about a prospective vendor or service provider and the sensitivity of the institutional data the vendor will receive and use.
This form must be completed for any engagement with a new vendor that will
- Have access to University data (processing, transmitting, and/or storage).
- Provide a tool that integrates with other University systems or hardware.
In addition to new vendors, this form must also be completed if there is a renewal/change in an existing contract that involves change of services to be offered.
In addition to the completion of this form, we require a Higher Education Community Vendor Assessment Toolkit (HEVAT) be completed and provided to the University by the vendor.
This will be used to determine the risk of using the vendor as it pertains to data and system security and will be used to create a Vendor Risk Assessment Findings Report (Sample) in order to help your department assess whether the risks associated with engaging this vendor are tolerable for your department and Arcadia University as a whole.
The inherent risk associated with engaging the vendor is determined by:
- The type of data provided to the vendor;
- The volume of overall records;
- The level of access granted to the vendor or service; and
- Any other details that may impact the designation, such as the vendor's privacy and security policies and relevant contractual terms, including those which allocate risk and responsibility between the vendor and the University.
This risk is assessed as a joint effort between the IT department, the Office of General Counsel, the department, and input from the vendor.
We understand that our University partners have varying levels of comfort when it comes to understanding issues related to data privacy and security. Please answer these questions as completely as you are able.
The review process, from submission of this form and receipt of Vendor Risk Assessment Findings Report, may take up to 30 days to complete.
We have compiled a sample of a completed Vendor Risk Assessment Form for your reference.
These instructions were created in order to help you in the completion of this form. If you have any questions, please feel free to contact the Help Desk.
Vendor Information
- Vendor Name - State the registered name of the vendor.
- Vendor Address - Provide the physical address of the vendor named above.
- Vendor Contact Name - Provide the name of the person(s) with whom you are in contact with on behalf of the vendor.
- Vendor Contact Title - What is the title/role of the contact(s) named above?
- Vendor Contact Phone Number - What is the contact's direct phone number?
- Vendor Contact Email - What is the contact’s direct email address (please try not to provide distribution lists or shared email addresses).
- Vendor Year of Incorporation (Please enter the date if within the past five years. This helps us understand the maturity of the vendor.) - By providing the vendor’s year of incorporation, we will be able to better understand the maturity level of the vendor that you are seeking to work with.
University Sponsor Information
- Department Name - State the department that will be sponsoring the work with the vendor or service and in charge of deployment.
- Department Contact Name - Who within this department is leading the implementation of this vendor or service?
- Department Contact Email - The email address of the department contact.
- Department Contact Phone Number - The phone number of the department contact.
Pre-Requisite Documents
- Has the vendor completed and provided a Higher Education Community Vendor Assessment Toolkit (HECVAT)?
All vendors and/or services being reviewed must complete and provide a HECVAT (Full). Please choose the option that best describes the state of obtaining the HECVAT from the vendor. If a HECVAT has not been provided by the vendor, a completed HECVAT will need to be provided in order to proceed with the review.
The HECVAT forms can be downloaded from the Educause website. You will have the opportunity to upload it later in this form.
Implementation and Background
- When do you plan on implementing this new product/service? Select the date that you are looking to begin working with this vendor or service.
- Will this vendor have access to Arcadia University data or require the implementation of software? (Note: this will determine your next steps in completing this form). Determine whether work with the vendor will require Arcadia University to share/provide access to data.
- Describe the services being provided, including the institutional data the vendor will be able to access. Please be as descriptive as possible. Use this space to describe your work with the vendor including what services they offer, how you discovered them, how long you plan on partnering with the vendor, and what their services will allow you to accomplish. Be sure to provide as much detail as possible and indicate how far you are in the procurement process.
- How will the system/service be deployed? Choose the option that best describes how products/services will be delivered by the vendor to be used by Arcadia University. Selecting unsure will prompt additional questions from the Information Technology team to the vendor regarding implementation.
- Does this implementation require support from the Information Technology Department? For example: Does the implementation of this product require configuration of Single Sign-On (SSO)? In order for the product to work, does a server need to be provisioned on our local network? Do Arcadia accounts need to be provisioned? Choosing ‘Yes’ will display a prompt requesting that you identify which IT teams need to be involved in the implementation. A member from the selected team will contact you and request further information regarding the implementation.
- Are you aware of another vendor that provides the same or similar services? What other vendors provide similar services? Choosing ‘Yes’ will display a space to provide their information.
- Please list the vendors that provide the same or similar services. This space can be used to provide the names of the vendors and products that provide a similar service.
- How long will services be provided by this vendor? Please describe if you plan on using this vendor short term (the duration of the new contract only) or if they have the potential to be a long-term vendor (there is a chance that the contract will be renewed once it ends).
- Is there a current contract with the vendor? Does the University have an existing contract with the vendor? This can include contracts with the same vendor, but related to a different product or service offered by the vendor.
- Choosing ‘Yes’ will display the prompt:
- Will new products or services be added to the contract? Choosing ‘Yes’ will display the prompt:
- Please describe the products or services that will be added to the new contract. Use this space to describe the new services that will be added to the contract. Be as descriptive as possible.
- Will new products or services be added to the contract? Choosing ‘Yes’ will display the prompt:
- Will the vendor have access to a different level of data? Choosing ‘Yes’ will display the prompt:
- Please choose the scenario that best describes the level of data that the vendor will now have access to in comparison to the current contract. This will help us identify if the level of risk associated with the new contract has increased or decreased.
- Have there been issues about which the IT department should be aware? Think about the past engagement with this vendor. Have there been any customer service related issues? Has the product or service failed to meet expectations? Have security incidents occurred with this vendor or service? Choosing ‘Yes’ will display the prompt:
- Describe the issues with the vendor. Please be as descriptive as possible. Use this space to provide as much detail as possible regarding any issues with the vendor.
- Choosing ‘Yes’ will display the prompt:
Security Documentation
- Has the vendor provided any of the following security documentation? Please choose from the following. A significant part of the review process for a vendor will be to build an understanding of their Information Security program by reviewing policies, procedures, and internal practices so that we can understand the controls they have in place that will protect our data. For this prompt, select all documents that the vendor has provided.
- HECVAT the Higher Education Community Vendor Assessment Toolkit (HECVAT) is a questionnaire framework specifically designed for higher education to measure vendor risk. This option refers to the full version of the toolkit, containing approximately 400 questions to be answered by the vendor. A HECVAT is required for all vendor risk assessments. If the vendor has provided a HECVAT please select this option and upload it in the next step.
- SOC 2 Type II this is a report completed by a third party auditing firm in order to document how an organization safeguards its data and systems over a specific point in time. If the vendor has completed a SOC 2 Type II please select this option and upload it in the next step.
- Information Security Policy the information security policy is an internal document implemented, enforced, and followed by the vendor. This document describes the use and security controls established by the vendor. If the vendor provided their information security policy, please select this option and upload it in the next step.
- Privacy Policy A privacy policy will describe how the vendor gathers, uses, discloses, and manages data. If the vendor provided their privacy policy, please select this option and upload it in the next step.
- Data Addendum The University has its own Data Security Addendum that it provides to the vendor. In some instances, the vendor will provide their own Data Security Addendum to add to the agreement. If this is the case, select this option and upload it in the next step.
- Other Choosing ‘Other’ will display the prompt:
- Please describe any other security documentation provided by the vendor. If you received any security documentation that is not listed in the previous question, please list the name of the documentation here.
- Please upload any documentation provided by the vendor. If you received a copy of the security documentation listed in the previous questions via email, please upload it here. Sometimes, the vendor will require their documentation to be accessed using a secure portal. If this is the case, please indicate this in the next OPTIONAL section.
- Please provide a link to any security documents shared. (OPTIONAL) This can be used to paste a link to any security documentation that the vendor shared from their website or other web resource. An example of this would be the vendor’s posted privacy policy.
Data Classification and Handling
- Will the vendor store or transmit any of the following types of information? Please select any of the following types of data that will be stored or transmitted as a part of the products or services offered by the vendor that will fall within the contract. Select all that apply. Choosing ‘Other’ will display the prompt:
- Please list the other data types here. This space can be used to describe additional types of data that fall within the scope of this agreement. Please note that the next section will refer to specific data fields, so you do not need to specify them here.
- Please choose from the following data fields to be collected. This section speaks to the specific data fields that will fall within the scope of this agreement. Please select all that apply. This prompt is crucial in understanding the risk associated with entering into an agreement with the vendor. Choosing ‘Other’ will display the prompt:
- Please list and describe the 'other' data fields to be collected. If the particular data field that will fall within the scope of this agreement was not listed above, please list the data in this section.
- What Data Classification does the data stored or transmitted fall under? Based on the data fields and types selected in the previous prompts and the Data Classifications defined in the Data Governance Policy, what Data Classification does the data fall under? If more than one Data Classification applies, please choose the most restrictive Data Classification. There is the chance that during the review process, this classification may change.
- Approximately how many records will be shared with the vendor? To the best of your knowledge, how many records will be shared with the vendor. For example, if this agreement will include a record for every faculty and staff member, you would choose the option 501-1000.
- Will any data be processed, stored or transmitted outside the US? If the services are hosted outside of the United States and data will be stored, processed in data centers outside of the United States, please choose Yes.
- Where outside of the United States will data be processed, stored or transmitted? Use this space to describe the locations where data will be processed, stored, or transmitted as a part of this agreement.
- How will data be transmitted to the vendor? If the services offered by the vendor require data to be transmitted to the vendor, how will data be shared? Please choose the option that best describes the transmission method. If the method is not listed here, choose ‘other’. You will have the opportunity to describe in further detail in the prompt that appears. If you are unsure of the method used please choose ‘unsure’ and this will be added as a follow up question. Choosing ‘Other’ will display the prompt:
- Please describe the 'Other' transmission method. If the method of transmitting data to the vendor is not listed in the previous prompt, please use this place to describe it here.
- Is there a technology expenditure or investment required? If there is a cost associated with this technology or work with this vendor, please choose ‘Yes’. This also applies if there will be other fees associated with the associated project that are not a part of this immediate agreement. Choosing ‘Yes’ will display the prompt:
- Please describe the technology expenditure or investment. Use this space to describe the technology expenditure or investment involved in this agreement.
- Which of the following departments have been informed of the interest in using this vendor The implementation of a new vendor, product or service at the University involves the input of multiple offices. Please choose from the options which departments have been made aware of the proposed work with this vendor.
Once you are ready to submit the form, be sure to select the box next to ‘Send me a copy of my responses’ and enter your email address to receive a copy for your records.
Next Steps
After you have completed this form, the Information Technology team will begin the review of the form and any attached documentation. If a HECVAT has not been included, there is information missing, further clarification needed, or any follow up questions, a member of the Information Technology team will reach out to you via the email address provided under ‘Department Contact Email’.
Comments
0 comments
Article is closed for comments.