Vendor Assessment Process

Sidebar

Vendor Assessment Process

As part of the Risk Management Program, the ISCO provides security and compliance reviews of third parties storing or accessing university data.  

University policy ISO-001 states that each member of the campus community is responsible for the security and protection of information resources over which he or she has control. Additionally, university policy ISO-023 states that the ability to protect sensitive data transmitted by, stored by or shared with a third party vendor must be maintained. To assist the community in meeting these requirements, the ISCO has implemented a vendor assessment process.

The vendor assessment process consists of one or two steps as determined by the data involved. Step 1 includes a review of how the product/service will be used and defines the data elements involved. If it is determined that sensitive data elements are not involved in the process, there may be no additional steps required. However, if sensitive data is involved the second step of the assessment process is required and includes a review of the vendor’s security and other compliance controls. Below is a brief description of the process.

1

Complete the Vendor Services and Data form

Via completion of the Vendor Services and Data online form (sign in required), the department will identify the data elements utilized within the service/solution. If sensitive data elements are involved, Step II will be required. Some examples of sensitive data include data regulated under HIPAA, FERPA, PCI, KRS 61.931-934 or data such as full name (first/last) or first initial/last name in conjunction with any of the following:

  1. Student/employee identification numbers
  2. Medical or health record information
  3. Student personal, enrollment or grade information
  4. Credit card, bank account or other financial information
  5. Social security number or other government identification number

Vendor Services and Data online form (sign in required) about

2

Complete a security control assessment

If sensitive data is involved, the vendor may be requested to complete a security control assessment. The assessment is the standard higher ed questionnaire commonly referred to as a HECVAT and will need to be reviewed by the ISCO prior to the procuring of products/services or contract finalization. A copy of the HECVAT can be downloaded from the Educause website.

Download a copy of the HECVAT about

Contact Us

Information Security Compliance Office

Website about

Phone

502-852-6692

Location

University of Louisville
Louisville, Kentucky 40292

Hours

Monday-Friday
8 a.m. to 4:30 p.m.
Closed Holidays

Email