Vendor Risk Assessment Findings Report
SAMPLE
The purpose of this Vendor Risk Assessment Findings Report is not for the Information Security team to approve or deny the use of a particular vendor, produce, or service rather, to provide enough information to allow the requesting department to make an informed decision regarding whether to proceed with engaging a vendor, product, or service.
Upon receipt of this Vendor Risk Assessment, it is the responsibility of the requesting department to contact both the Office of General Counsel and Purchasing to begin the Contract Review and Approval Procedure.
Service Description and Background
Vendor Risk Assessment Details
Vendor Risk Assessment Type: Full
Agreement Type: New
University Data Level*: Level 2 - Sensitive
*See Information Processed section for full details
Requestor Information
Department: Information Technology Support Services (ITSS)
Department Contact: Director of ITSS
Department Contact Email: helpdesk@arcadia.edu
Description of Services
Theoretical Vendor provides a cloud-based tool that will allow us to create and manage tickets and workflows for the University.
Students, Faculty, and Staff will have the ability to submit tickets by emailing the help desk, calling the help desk, or using the web portal to submit a ticket. Members of the IT team will be granted the appropriate agent-level roles to manage tickets assigned to them.
The platform will also have the ability to create forms and workflows.
There is the chance that an end-user might accidentally submit information such as a password in a ticket (we do not ask for this), but we will not explicitly ask for passwords or items such as social security number or payment information.
We will sometimes ask for date of birth, powercampus ID, secondary/alternate email address, and other information in order to confirm the identity of a user.
Internal University data such as processes, procedures, workflows, configuration changes, system issues and user issues/resolutions will live in this platform.
Information Processed
As a part of the service, the following information is generally stored, processed, transmitted, or accessed:
- Student, Staff, Faculty, and Alumni data
- Name (First, Last)
- Phone Number
- Email Address
- Date of Birth
- Other Information (Provide Detail)
- Information related to an issue being reported. Internal university information such as processes, procedures, workflows, configuration changes, system issues and user issues/resolutions will live in this platform.
Based on the Data Classifications outlined in the University’s Data Governance Policy, the above data to be processed is classified as Level 2 Sensitive.
Level 2, Sensitive: University data that may not be protected by law, regulation, or contract, but which is considered private and is subject to special treatment. Examples of Level 2 data include but are not limited to: any information that the University has agreed or decided to keep private.
Vendor Information
Vendor: Theoretical Vendor Name
Vendor Contact: Friendly Person
Vendor Contact Email: Super Helpful Vendor Employee
Reputation: Clean
Recent Security Incidents/Breaches: None - Past 5 Years
Vendor Findings Details
In this section you will find details of the vendor risk assessment that speak to the controls put in place by the vendor or any other observations made about the vendor and/or their products/services made during the vendor risk assessment process. The information found in this section should be reviewed in depth and used when deciding whether to move forward with the vendor.
Risk
The following was considered to qualitatively assess vendor risk:
- Likelihood of - the probability, or likelihood that a finding or risk could impact a customer’s service.
- Consequence - the harm, or consequences, of a finding being compromised.
General Observations
During the review of the provided documents, the below observations were made regarding the vendor, the services provided by the vendor, or the manner in which the vendor/service will be used at Arcadia University:
- The vendor utilizes industry standard data encryption for data in transit and data at rest
- The platform supplied by the vendor supports single sign-on using SAML.
- The vendor carries cyber-risk insurance to protect against unforeseen service outages, data that is lost or stolen, and security incidents
- The vendor’s security documents are outdated at the time of this vendor risk assessment..
Assessment and Findings Overview
The below table contains a count of the risks identified while completing this vendor risk assessment. The counts are reflective of the items listed in the “Findings Details” section.
Vendor Security Summary Statement
The documentation provided by the vendor demonstrates a thoughtful approach to securing their systems and in turn, Arcadia University data.
Findings Details
- [HIGH] High Level University Data being Processed - Security Addendums
The level of data to be processed by the vendor under this agreement is Level 1 Restricted data (see Information Processed section).
- [MEDIUM] Dated SOC2 Type 2 Report
The provided SOC2 report conducted by The Agency was issued January of 2019. This report is now over 3 years old. Documents that are older and have not been updated have a potential to be out of date and be missing critical updates.
- [MEDIUM] Dated HECVAT
The provided HECVAT was issued March of 2019. This report is now approaching 3 years old. Documents that are older and have not been updated have a potential to be out of date and be missing critical updates.
University Considerations
This section details considerations and controls that should be put in place in the event that the decision is made to move forward with the vendor. Recommendations may include items that speak directly to high risk items discovered during the review process, or, may include University standards for implementation. The information in this section should be closely reviewed by the requestor and any Arcadia University administrator who may be involved in the implementation and configuration of the services/products offered by the vendor to which this report speaks to.
Summary of Recommendations
Recommendations
- Security Addendums
The University should require the vendor to sign and adhere to the University’s Data Security Addendum as well as the University's GDPR- and UK DPA-specific Data Protection Addendums.
- Obtain Updated SOC 2 Type 2
In the event that the University decides to renew services with the vendor, a current SOC 2 Type 2 should be requested from and supplied by the vendor.
- Obtain Updated HECVAT
In the event that the University decides to renew services with the vendor, a current HECVAT should be requested from and supplied by the vendor.
- Export University Data Before Contract End
At the conclusion of the contract, all University data must be exported and given to the University. After data is confirmed to be successfully obtained, the vendor must provide evidence that University data has been destroyed and is not recoverable from their systems. This will ensure that the University will not be involved in any potential future issues with the vendor, should they arise.
Evidence and Materials
Assessment Evidence
The following Documentation was reviewed as part of this assessment:
- Higher Education Community Vendor Assessment Tool (HECVAT) - March, 2019
- Vendor Risk Assessment Form completed by Arcadia University employee
- Theoretical Vendor Information Security Policy
- Theoretical Vendor - SOC 2 Type II - January, 2019
Other Reference Materials
The following documentation was used to support the information found in the findings details and high-level recommendations sections.
Review Information
Vendor Risk Assessment Findings (version 2)
Completed By: Information Security Analyst
Date of completion: October 31, 2022
Peer Reviewed By: Director of Infrastructure
Date of completion: November 2, 2022
Comments
0 comments
Article is closed for comments.