Vendor Security Assessment Process

Request security assistance

Pre-assessment Checklist

Software being requested has a cloud component,

AND at least one of these conditions apply:

Software is not found in the TeamDynamix Application Portfolio.
Software does not have a VSA completion or IT Governance date listed listed in the Application Portfolio.

  • Being used currently at U of I does not qualify as being approved, only that it is currently used. Reasons vary: exceptions, grandfathering, shadow IT etc.


All assessments are primarily based on processing, transmitting, and/or storing of data in conjunction with the privileged access the user(s) of the requested application may have. The following information will help requestors understand what the required minimum documentation for assessment is concerning the data risk classification in scope. First, classify the data used by the application. Then classify the data that may already be on the machine (examples: is this machine used to store high risk data like SSNs? Is student data processed, stored, or otherwise used on this machine? etc). Finally, classify the user based on your knowledge of their access to high risk data.


This will be referenced and asked during this process so please classify the data and the user accessing the data. This is typically done by asking the requestor the 5 questions below. Use the answers the requestor gives you to classify the data.

  • Personally Identifiable Information (PII) (e.g., name, DOB, SSN, birthplace, address, or mother's maiden name, etc.)?
  • Credit card payment information (aka PCI or PCI-DSS)?
  • Protected Health Information (PHI or ePHI) under the definition of the Health Insurance Portability and Accountability Act (HIPAA)?
  • Federally Funded Research data (that is protected by the Federal Information Security Management Act (FISMA) or any other data use standard)?
  • Family Educational Rights and Privacy Act (FERPA) data?

Data, accounts, and systems must be classified according to the highest risk data that they process (APM 30.11 B-3).

Data Classification

  • Low Risk: The potential effect of loss of confidentiality, integrity, or availability could be expected to have only a limited adverse effect on the university operations, individuals, or assets.
    • Example: published public information including press releases, directory information, or research data not otherwise confidential or regulated.
  • Moderate Risk: The potential effect of loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on university operations, individuals, or assets.
    • Example: FERPA
  • High Risk: The potential effect on loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on university operations, individuals, or assets.
    • Example: private information that must be protected by law or industry regulation (Federally funded research, HIPAA / ePHI, Social Security Numbers, driver’s license numbers, bank or credit account numbers).

User Classification

  • User: access to Low / Moderate Risk data.
  • HAU: access to High Risk data (on any machine).


Gather the Documentation

Minimum Required Documentation Low Risk Moderate Risk High Risk
Vendor/Application Scoping Document Yes No No
University of Idaho Data Classification Tool
(Select Vendor Security Assessment in the first drop down)
Optional Yes Yes
Security Questionnaire ** Optional Yes Yes
SOC 2  Report (Security Team can help acquire if necessary)
w/ Bridge letter  for date coverage gaps
Optional Optional


VPAT / ACR (IT Accessibility Report) If Available If Available If Available

Types of Security Questionnaires Accepted **

  • Requester / TSP should fill out:

AND one of the following:


Vendor Scoping Document Information

  • Vendor / Product web page
  • Short vendor / product description:
    • What is the application used for?
    • How is this application updated/patched? Is it being securely patched?
  • What is the Data Classification of the information processed, stored, and/or transmitted by the application?
  • What is the User classification, if known?
  • What is the scope of application usage?
    • Individual
    • Groups of users
    • Department(s)
    • University wide


Vendor Security Assessment Overview

To assure UI data is handled, and systems are operated, compliant with UI policy and IT standards required by Data Classification and Standards (APM 30.11), the Information Security Office provides assistance with categorization and assessment of systems. The data classification process assists OIT in prioritizing the highest risk vendors to ensure they receive the most careful scrutiny.

A system is a discrete set of resources assembled to store, process, maintain, share, or dispose of data. This includes, but is not limited to, any endpoint devices (desktops, laptops, smart phones, tablets) as well as servers, networks, or third party and cloud services.

When using, purchasing, or renewing systems or vendors, OIT can assist with identifying the risks associated with a particular product or service for the intended use. A Risk Assessment must be completed by the OIT Information Security Office before the University acquires or utilizes external information systems.

The process of assessing data classification.
Classification > Assessment > Purchase

  1. University departments can use the Data Classification Tool to self-assess data classification, or submit a vendor/system to ITS for formal security assessment. This may be done on existing systems, or before purchasing a new system. If the data is already classified, the user may simply submit a request to begin the process.
  2. Once data is classified for the system, the vendor must provide a completed and updated version of the questionnaire using the Higher Education Cloud Vendor Assessment Tool (HECVAT, preferred), or if classified as low risk, the HECVAT Lite.
  3. The Information Security Office will provide an assessment of risk with recommendation associated with using or purchasing the system for the data involved. Please allow 20 business days response time in case vendor responses need to be clarified.
  4. The Information Security Office should be consulted whenever there are major changes to the product, architecture, or data in use.

Frequently Asked Questions

Q: This system will be going out for RFP, will a security assessment still be required?

A: Yes, especially when significant investment is being made by the university, we need to ensure the systems purchased will be operated within expected standards

Q: This is a renewal of an existing contract, will an assessment be required?

A: Since this is a new process, the vendor may not have been thoroughly evaluated previously. It is best to work with ITS well ahead of any contract renewals to ensure any risks are understood and evaluated.

Q: Is this just for cloud applications?

A: UI policy only requires this assessment for cloud or third-party vendors, but other applications, particularly those that will handle High Risk data should also be carefully evaluated. Contact OIT Security for more information.

Q: An existing, approved vendor has a new product that we want to add. Is a new assessment needed?

A: Unless the data, application, and previously reviewed HECVAT covered the new product, a new or updated assessment must be completed. Often times new applications were acquired or built separately on new architecture, necessitating further review.

For more information, please contact Mitch Parks, Chief Information Security Officer, at

Print Article


Article ID: 237
Thu 1/18/18 4:13 PM
Thu 6/6/24 5:21 PM

Related Articles (1)

Malware removal is not an effective way to ensure an infected computer is clean. The best way to approach malware infections is to format and re-image the computer.

Related Services / Offerings (3)

I want to purchase or configure a printer, scanner, copier, or other printing equipment.
Report an information security incident.
Use this service to start the approval process for approval of new software to be used by the University for business or research purposes.