What is it?
In an effort to minimize enterprise risk, the IT Department, in conjunction with the Office of the General Counsel, as developed a formal strategy for managing relationships with third-party technology vendors. This strategy, which is outlined in the Third-Party Management Standard, requires that all prospective products and their vendors be reviewed by the Third-Party Risk Management Team before any contract is signed. This ensures that operational and security risks associated with a technology are known and allows any technical roadblocks to be identified prior to a departmental expenditure.
In order for the team to perform a review, individuals wishing to procure third-party technology must complete a request, which provides information surrounding the nature of the request. In most cases, the team will request that the vendor provide documentation describing the architecture, design, operation, and security of their product. This information is usually obtained via the vendor's completion of the Higher Education Community Vendor Assessment Tool (HECVAT). The HECVAT is available via download from Educause.
In addition to the HECVAT or equivalent documentation, the Third-Party Risk Management Team also requests that all vendors provide a Service Organization Control (SOC 2) report, should they maintain one. If a vendor does not have a SOC 2 report, a written statement may be submitted stating such.
Finally, other types of documentation may be requested depending on the data associated with the application or service in question. For example, if a proposed technology will store, process, or transmit credit card data, an adequate Payment Card Industry (PCI) Attestation of Compliance (AoC) must be provided.
Following the Third-Party Risk Management Team's review of all provided documentation, communication will be issued to the requestor to indicate whether or not the product/vendor has been approved. If approved, the requestor should then complete General Counsel's Contract & Agreement Review & Tracking Form to finalize the purchase and contract.
Who is it for?
Staff, faculty
How do I get it?
Click the "Submit Third-Party Tech Request" button to complete the request form.