Vendor Security Assessment Process

Request security assistance

Vendor Security Assessment Overview

To assure UI data is handled, and systems are operated, compliant with UI policy and IT standards required by Data Classification and Standards (APM 30.11), the Information Security Office provides assistance with categorization and assessment of systems. The data classification process assists OIT in prioritizing the highest risk vendors to ensure they receive the most careful scrutiny.

A system is a discrete set of resources assembled to store, process, maintain, share, or dispose of data. This includes, but is not limited to, any endpoint devices (desktops, laptops, smart phones, tablets) as well as servers, networks, or third party and cloud services.

When using, purchasing, or renewing systems or vendors, OIT can assist with identifying the risks associated with a particular product or service for the intended use. A Risk Assessment must be completed by the OIT Information Security Office before the University acquires or utilizes external information systems.

The process of assessing data classification.
Classification > Assessment > Purchase

  1. University departments can use the Data Classification Tool to self-assess data classification, or submit a vendor/system to ITS for formal security assessment. This may be done on existing systems, or before purchasing a new system. If the data is already classified, the user may simply submit a request to begin the process.
  2. Once data is classified for the system, the vendor must provide a completed questionnaire using the Higher Education Cloud Vendor Assessment Tool (HECVAT, preferred), or if classified as low risk, the HECVAT Lite.
  3. The Information Security Office will provide an assessment of risk with recommendation associated with using or purchasing the system for the data involved. Please allow 20 business days response time in case vendor responses need to be clarified.
  4. The Information Security Office should be consulted whenever there are major changes to the product, architecture, or data in use.

Frequently Asked Questions

Q: This system will be going out for RFP, will a security assessment still be required?

A: Yes, especially when significant investment is being made by the university, we need to ensure the systems purchased will be operated within expected standards

Q: This is a renewal of an existing contract, will an assessment be required?

A: Since this is a new process, the vendor may not have been thoroughly evaluated previously. It is best to work with ITS well ahead of any contract renewals to ensure any risks are understood and evaluated.

Q: Is this just for cloud applications?

A: UI policy only requires this assessment for cloud or third-party vendors, but other applications, particularly those that will handle High Risk data should also be careful evaluated. Contact ITS for more information.

Q: An existing, approved vendor has a new product that we want to add. Is a new assessment needed?

A: Unless the data, application, and previously reviewed HECVAT covered the new product, a new or updated assessment must be completed. Often times new applications were acquired or built separately on new architecture, necessitating further review.

For more information, please contact Mitch Parks, Information Security Officer, at


Article ID: 237
Thu 1/18/18 4:13 PM
Tue 3/28/23 12:07 PM

Related Articles (2)

A list of available office phones and headsets from the ITS phones department.
Malware removal is not an effective way to ensure an infected computer is clean. The best way to approach malware infections is to format and re-image the computer.

Related Services / Offerings (2)

I want to purchase or configure a printer, scanner, copier, or other printing equipment.
Report an information security incident.