Overview
Any unit that wishes to engage with a vendor must complete the onboarding questionnaire linked below. Please initiate the risk assessment early to avoid delaying engagement with the vendor.
The questionnaire provides Pitt IT Information Security with the information to understand the product or services that the vendor will provide to the University. It also defines the assessment scope, identifies the University’s potential risk, and collects the vendor’s contact information.
For additional guidance regarding when a Vendor Risk Assessment is required, please review the Submitting a Vendor Review Overview presentation.
Detail
Implementing Executive: Vice Chancellor and Chief Information Officer
Responsible Unit: Pitt Information Technology
Category: Information Security
Effective Date: June 1, 2023
Purpose
The University routinely engages with outside businesses or service providers (Vendors) to help pursue its mission. Entrusting Vendors with data about the University and members of the University community carries risks that can have a detrimental impact if proper security precautions are not in place. Pitt IT Information Security, working with the Cooperating Authorities listed below, has implemented this Vendor Security Risk Assessment policy to ensure that Vendor security practices are consistent with the security risks their products or services may carry. Proactive assessment and management of Vendor security controls ensures that sensitive personal and University information is given to Vendors only when proper security controls are in place.
Proper Vendor Security Risk Assessments will help reduce the likelihood or mitigate the impact of harm relating to:
- Failure by Vendors to protect information of students, faculty, staff, parents, research participants, alumni, donors, ticketholders, or anyone else who trusts the University to protect information the University holds about them.
- Damage to the University’s reputation because of a system breach or loss of data hosted or managed by a Vendor.
- Intrusion into University systems due to Vendor’s failure to monitor and control its use of access to University systems.
- Costs incurred by the University for notification of security breaches, credit monitoring services, call center staffing to handle inquiries, and legal fees the University might incur.
- Impairments to the University’s daily operations and inability to fully provide vital services through incidents such as ransomware attacks or theft of data.
This policy formalizes a longstanding set of University business practices.
Scope
This policy applies to all University of Pittsburgh purchases or uses of information technology products and services originating from any campus or University location from Vendors, including all products that store or use University data and/or end-user personal information.
Policy
University purchasers must request a Vendor Security Assessment prior to purchasing goods or services that are IT-related or involve University data including research data and personal information about individuals affiliated with the University. Purchasing Services will direct the purchaser to initiate the assessment process if it has not been requested and completed before the purchase is initiated.
Once the purchaser completes the questionnaire, Pitt IT Security will contact the Vendor for details about their information security programs and practices. The discussions may be complex depending on the potential risks involved. Generally, the greater the risk, the more complex the security review process will be as the University is required to comply with various laws and regulations including, but not limited to, FERPA, FISMA, GLBA, and HIPAA. The University must therefore require its Vendors to demonstrate compliance with all applicable laws and University policies before and during their engagement to provide the University community with products and services.
Vendors of products and services that pose significant risks to the University community will undergo annual reassessments to ensure continuing compliance.
Noncompliance
Failure by purchasers to request a security review or lack of cooperation by Vendors in the security review process may result in significant delays in the acquisition of needed products or services. Reviews conducted after a purchase could result in the cancellation of contracts or the return of products found to be noncompliant with security standards and best practices. The purchaser is responsible for providing accurate and complete service and product information, as well as Vendor contact information when completing the Vendor Security Request Form via the link above.
Contact Information
This policy is posted to the Policies section of the Information Technology website and can be found at https://technology.pitt.edu/policies/vendor-security-assessments.html.
Cooperating Authorities
Purchasing Services, Office of the Chief Financial Officer
Office of Risk Management
Office of Compliance, Investigations, and Ethics
Related Policies and Additional Information
Pitt IT Security
University Policies Relating to Data Security