Home
LITS

Third Party Vendor Risk Assessments: Security Review

Overview

The Third-Party Vendor Risk Assessment is a key process at Trinity College that evaluates and manages risks associated with third-party suppliers. This ensures that any vendor or partner handling Trinity College’s data complies with college security and privacy standards, protecting our information’s confidentiality, integrity, and availability.

Why This Matters

It is essential to assess their security measures before entering into any agreement with a third-party vendor who will handle Trinity College data (whether by using, processing, storing, or transmitting it). This review helps identify potential risks and ensures the vendor meets the security standards, protecting the institution and its data.

Key Definitions

  • Third-Party Vendor: A company, individual, or service provider outside of Trinity College that offers products, services, or software that will interact with, store, process, or transmit Trinity College data.
  • Business Unit Sponsor: The individual within a department or business unit who initiates the request to purchase a product, service, or software. The sponsor ensures the product aligns with the unit’s goals and coordinates the procurement process, including necessary assessments and approvals.
  • Sensitive Data: Any information protected by law or institutional policy due to its confidential or private nature, such as personally identifiable information (PII), financial records, medical data, and academic records.
  • LITS IT Procurement and Business Services: The departments responsible for overseeing the procurement process, evaluating potential vendors, and ensuring that technology services, software, and hardware meet Trinity College’s institutional standards and security requirements.

How the Process Works

  1. Vendor Identification
    The process begins when a business unit or department identifies the need for a third-party product, service, or software. If the product involves processing, storing, or transmitting Trinity College’s data, it should not be purchased or committed to until the need is reviewed and confirmed as unique (i.e., not already covered by a similar service in the service catalog).
  2. Procurement & Business Services
    Once the need is confirmed, LITS IT Procurement and Business Services will work with the Business Unit Sponsor to identify potential vendors and evaluate their offerings.

    • Note: Trinity College may already have a similar, pre-approved product. If not, a security review will be required before proceeding.
  3. Security Review
    All stakeholders and vendors must complete specific security review forms. These forms are part of our due diligence process and must be completed before proceeding with any project, software installation, or contract. The forms provide detailed questions to assess the vendor’s security practices and their alignment with Trinity College’s requirements for handling sensitive data.

Forms & Documents

  • Form for Business Unit Sponsors:
    Complete the Third-Party Vendor Risk Assessment Intake Form. This form helps assess the vendor’s security posture and the potential risks associated with integrating or accessing Trinity College’s data.
  • Vendor’s Supporting Documents:
    Vendors must provide specific documentation (outlined at the end of the form). Common forms include SOC 2 Type 1 or 2, HITRUST, or HECVAT. Work with the vendor to gather the required documents for a thorough review.

Next Steps

  1. Submit a Ticket:
    You should begin by submitting a ticket detailing the product you want to purchase and how it will be used within your department.
  2. LITS IT Procurement Review:
    The LITS IT Procurement and Business Services team will determine whether the product is pre-approved within the college’s service catalog or if a similar product is available. If a similar service is unavailable, a security review will be required.
  3. Complete the Intake Form:
    If your product requires a new procurement process, complete the Third-Party Vendor Risk Assessment Intake Form and gather the vendor’s supporting documents.
  4. Review Process:
    The Information Security Team will acknowledge receipt of your submission and provide an estimated timeline for completing the review process. The typical turnaround time is 7 to 10 days, but it may vary depending on the time of year.

Important Notes

  • Approval is Not Guaranteed: Completing the forms does not guarantee approval. It is part of our due diligence process to assess whether the vendor meets Trinity College’s security standards.
  • Authorized Stakeholders Only: Only authorized department stakeholders should complete and submit these forms. LITS staff will not submit forms unless explicitly instructed by the Chief Technology Officer (CTO), Chief Information Security Officer (CISO), or Chief Information Officer (CIO).
  • Timely Submission: Delays in form submission can result in approval delays. Be sure to submit all required forms and supporting documents promptly to avoid project delays.