Any unit that wishes to engage with a vendor must complete the onboarding questionnaire linked below. Please initiate the risk assessment early to avoid delaying engagement with the vendor.

The questionnaire provides Pitt IT Information Security with the information to understand the product or services that the vendor will provide to the University. It also defines the assessment scope, identifies the University’s potential risk, and collects the vendor’s contact information.

Purpose

While the University routinely engages with outside businesses or service providers to help pursue its mission, entrusting these vendors with University data introduces risks that can have a detrimental impact if proper data-protection precautions are not in place. Therefore, to help manage those risks, Pitt IT has developed a vendor security risk assessment. This assessment is required anytime University data is shared with a vendor or a vendor creates, collects, or processes data on the University’s behalf.

However, this process alone does not guarantee that a vendor is safe or secure. After Pitt IT conducts the risk assessment, the department should weigh the results before starting any business relationship and use it to help assess the impact to the University if the vendor experiences a security breach.

Prevention and Protection

Risks are inherent to all information systems, and security breaches can happen with any organization.  The risk assessment goal is to ensure that vendors can sufficiently manage the risks to the confidentiality, integrity, and availability of University data entrusted to them. This process is intended as a screening effort to assess whether the vendor has implemented an information security program with adequate data protections.

By performing a security risk assessment of vendors, the University may reduce the likelihood or impact of harm such as:

• Injury to individuals within the University community due to failure to protect the private information of students, parents, patients, research participants, staff, alumni, or donors. The University must ensure that sufficient safeguards are in place to protect University constituents’ information.
• Reputational harm with lasting impact to the University due to a system breach or loss of data managed or hosted by a third party.
• Measurable financial impact to the University, such as expenses related to breach notification costs, credit monitoring services, call center staffing to handle inquiries and legal fees associated with potential lawsuits and fines.
• Significant impact to the University’s daily operations and impaired ability to deliver vital services due to insufficient security for critical systems outsourced to external parties. For example, the lack of proper data backup or retention could lead to data loss if the vendor suffers a ransomware attack. 

Process

The risk assessment process requires surveying the vendor for various security controls, including policy, technology, operational, and human resource protections. Responses to the survey must be analyzed and weighed against the risk incurred by the University’s use of the vendor’s products or services. Additionally, the risk assessment ensures that the vendors abide by University standards, such as single sign-on, records retention, and log management.

When applicable, compliance with regulatory standards must be verified during the risk assessment process. For instance, when third parties collect online payments on behalf of the University, those third parties must provide proof of PCI compliance. Other regulations may apply, such as FDA Part 11, FERPA, FISMA, GLBA, or HIPAA.

Vendors that pose a significant risk to the University will undergo an annual assessment to ensure continued compliance. Any significant changes to the vendor operating environment or the University’s use of the vendor may also necessitate a new risk assessment. Business units are encouraged to complete a risk assessment initiation questionnaire whenever changes occur so that the security team can determine if the proposed changes require a new risk assessment.

Next Steps

After the onboarding questionnaire is received, the Security team will contact the vendor to obtain details about their information security program. The breadth of the assessment is commensurate with the magnitude of harm that the University could face. For example, cases in which highly-sensitive University data is held or processed by a vendor carry a potentially higher risk if unauthorized access or loss occurs. Therefore, a more detailed security assessment is conducted. After Pitt IT receives the completed security questionnaire from the vendor, the Security team will typically complete its security assessment within ten business days.

Please be advised the requester (School, Department, Principal Investigator) is responsible for identifying a vendor contact and providing Pitt IT Security with the contact information such as name, email, and phone number. Without this information, a Vendor Security Risk Assessment cannot be performed.

Due to the high volume of Vendor Security Risk Assessments requested, if the vendor does not respond in a timely manner, the requester is responsible for following up with the vendor to obtain the Vendor Security Risk Assessment documents. Without these documents required by Internal Audit, the vendor cannot be reviewed.