Vendor Security Assessment

Purpose


To assure UI data is handled, and systems are operated, compliant with UI policy and IT standards required by Data Classification and Standards (APM 30.11). When using, purchasing, or renewing systems or vendors, OIT requires identification of the risks associated with a particular product or service for the intended use. A Risk Assessment must be completed by the OIT Information Security Office before the University acquires or utilizes external information systems.

Pre-assessment Checklist

Software being requested has a cloud component,

AND at least one of these conditions apply:

Software is not found in the TeamDynamix Application Portfolio.
Software does not have a VSA completion or IT Governance date listed listed in the Application Portfolio.

  • Being used currently at U of I does not qualify as being approved, only that it is currently used. Reasons vary: exceptions, grandfathering, shadow IT etc.

Pre-requisites

All assessments are primarily based on processing, transmitting, and/or storing of data in conjunction with the privileged access the user(s) of the requested application may have. The following information will help requestors understand what the required minimum documentation for assessment is concerning the data risk classification in scope. First, classify the data used by the application. Then classify the data that may already be on the machine (examples: is this machine used to store high risk data like SSNs? Is student data processed, stored, or otherwise used on this machine? etc). Finally, classify the user based on your knowledge of their access to high risk data.


Classifications

This will be referenced and asked during this process so please classify the data and the user accessing the data. This is typically done by asking the requestor the 5 questions below. Use the answers the requestor gives you to classify the data.

  • Personally Identifiable Information (PII) (e.g., name, DOB, SSN, birthplace, address, or mother's maiden name, etc.)?
  • Credit card payment information (aka PCI or PCI-DSS)?
  • Protected Health Information (PHI or ePHI) under the definition of the Health Insurance Portability and Accountability Act (HIPAA)?
  • Federally Funded Research data (that is protected by the Federal Information Security Management Act (FISMA) or any other data use standard)?
  • Family Educational Rights and Privacy Act (FERPA) data?
     

Data, accounts, and systems must be classified according to the highest risk data that they process (APM 30.11 B-3).

Data Classification

  • Low Risk: The potential effect of loss of confidentiality, integrity, or availability could be expected to have only a limited adverse effect on the university operations, individuals, or assets.
    • Example: published public information including press releases, directory information, or research data not otherwise confidential or regulated.
  • Moderate Risk: The potential effect of loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on university operations, individuals, or assets.
    • Example: FERPA
  • High Risk: The potential effect on loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on university operations, individuals, or assets.
    • Example: private information that must be protected by law or industry regulation (Federally funded research, HIPAA / ePHI, Social Security Numbers, driver’s license numbers, bank or credit account numbers).
       

User Classification

  • User: access to Low / Moderate Risk data.
  • HAU: access to High Risk data (on any machine).

 

Gather the Documentation

Minimum Required Documentation Low Risk Moderate Risk High Risk
Vendor/Application Scoping Document Yes No No
University of Idaho Data Classification Tool
(Select Vendor Security Assessment in the first drop down)
Optional Yes Yes
Security Questionnaire ** Optional Yes Yes
SOC 2  Report (Security Team can help acquire if necessary)
w/ Bridge letter  for date coverage gaps
Optional Optional

Yes

VPAT / ACR (IT Accessibility Report) If Available If Available If Available


Types of Security Questionnaires Accepted **

  • Requester / TSP should fill out:

AND one of the following:

 

Vendor Scoping Document Information

  • Vendor / Product web page
  • Short vendor / product description:
    • What is the application used for?
    • How is this application updated/patched? Is it being securely patched?
  • What is the Data Classification of the information processed, stored, and/or transmitted by the application?
  • What is the User classification, if known?
  • What is the scope of application usage?
    • Individual
    • Groups of users
    • Department(s)
    • University wide

 

Vendor Security Assessment Info

 

 
Request Assessment

Related Articles (1)

This article explains the process used when identifying the risks associated with a particular product or service for the intended use.

Details

Service ID: 905
Created
Tue 2/28/23 12:57 PM
Modified
Mon 6/10/24 10:16 AM