Third Party Review
The Third Party Review, also known as the Vendor Risk Assessment, is the process of assessing the risk associated with Third Party (vendor managed) services that store or process university information.
The Third Party Review covers three areas.
A comparison is done with the functions of the cloud service being requested and existing pre-screened cloud services already in place. This step is taken to reduce cost and the overhead required to onboard a new cloud service.
The Security Assessment
The Third Party Review assesses the security controls a third party has implemented to protect university information. These requirements depend on the type of information that will be stored or processed by the Third party.
The Technical Assessment
Assesses if the service can run in our computing environment and if it can integrate with other systems if integration is needed.
The Accessibility Assessment
We partner with the Student Access office to determine if student facing applications can be used with the accessibility tools provided by the university.
Why do we perform these assessments?
According to Whistic, 47% of businesses they surveyed experienced a data breach. 80% of these breaches were attributed to a third party vendor. The university’s cyber insurance underwriters require that the university maintain risk assessment and risk management strategies. The Third Party Review is a part of the university’s risk management strategy.
What is the process?
The following is an overview of the third Party Review Process:
- The Third Party is asked for a standard set of information that is used for the assessment. For services that collect very sensitive information, additional reports are requested.
- The Third Party is asked for information regarding any system or data integration
- The service requestor is asked to provide some standard information to determine what the university’s requirements are for the service.
How long does this process take?
This process can take 10 business days or more. This length of time taken is highly dependent on how fast the Third Party and the university stakeholder provides the requested information.
How is the Third Party Review Initiated?
The third Party Review is triggered by one of the following: