With the rapid adoption of service providers used to handle sensitive processes and data from various universities, there is an increase in the need for risk assessments of these vendors. Many universities are using similar vendors to handle sensitive processes and data. While there are some common assessment questionnaires and certification programs published by respected authorities such as Educause, Cloud Security Alliance (CSA), or American Institute of Certified Public Accountants (AICPA), the approval of use for these vendors still require the review of vendor provided documentation by individual institutions based on the institutions’ risk tolerance and assessment methodologies.
While the current approach allows institutions to individually assess and approve vendors based on its own risk tolerance and assessment methodologies, this approach does require much dedicated time and effort from security operations and IT risk management personnel to upkeep. With limitation in resources experienced by VASCAN partner institutions, and the increasing demand in risk assessments for vendors, an opportunity for collaboration is available for institutions in the VASCAN community.
Goal: To formalize an agreed upon method of sharing results of vendor assessments for use among participating schools.
- This does not reflect identical classifications of data among institutions
- This does not preclude added vetting or analysis done by the initial vetting institution or any schools that subsequently vets a vendor
- Results may be used differently by schools based on risk tolerance
Objectives: Create common Classes based on relative risks, conduct similar vetting based on the Class, share results via a spreadsheet and a repository of collected assessments, along with documentation or supporting documents that are not under NDA.
- Schools will conduct their own third-party assessment and will factor in the information shared via the VASCAN Shared Vendor Assessment program.
- Decisions by the assessing school may be used to varying degrees by subsequent schools
- Supporting documentation gathered may streamline efforts by subsequent schools in their collection of supporting documentation.
Decisions and Notes may be helpful is focusing assessing schools’ efforts, and in supporting common interactions with vendors, for instance when a vendor indicates that they plan to conduct a SOC or an external audit at a future date, each subsequent school may be able to use that information to inform their interaction with the vendor.