Vendor Assessment Process
University policy ISO-001 states that each member of the campus community is responsible for the security and protection of information resources over which he or she has control. Additionally, university policy ISO-023 states that the ability to protect sensitive data transmitted by, stored by or shared with a third party vendor must be maintained. To assist the community in meeting these requirements, the ISO has implemented a vendor assessment process.
The vendor assessment process consists of one or two steps as determined by the data involved. Step 1 includes a review of how the product/service will be used and defines the data elements involved. If it is determined that sensitive data elements are not involved in the process, there are no additional steps required. However, if sensitive data is involved the second step of the assessment process is required and includes a review of the vendor’s data security controls. Below is a brief description of the process.
Step I: Via completion of the Vendor Services and Data online form, the department will identify the data elements utilized within the service/solution. If sensitive data elements are involved, Step II will be required. Some examples of sensitive data include data regulated under HIPAA, FERPA, PCI, KRS 61.931-934 or data such as full name (first/last) or first initial/last name in conjunction with any of the following:
1. Student/employee identification numbers example:
John Smith Student ID #1112033 or J. Smith Employee ID #1112033
2. Medical or health record, example:
John Smith X-Ray Films
3. Grade information, example:
John Smith Spring 2019 GPA 4.0
4. Enrollment information, example:
John Smith Freshman 2020
5. Credit card, bank account or other financial information, example:
John Smith Credit Card # 5111 6111 9111 4111
6. Social security number, example:
John Smith 211-21-2111.
Step II: If required, the ISO will provide the department with a control questionnaire to be completed jointly by the department and the vendor. The questionnaire will address vendor controls in the areas such as encryption, storage, virus protection, data recovery and contract language. The assessment questionnaire or a vendor HECVAT (higher education assessment) must be reviewed by the ISO prior to the procuring of products/services or contract finalization.