Vendor Risk Assessment Procedure

Description

Implementing a Vendor Risk Assessment (VRA) process is crucial for universities to manage and mitigate risks associated with third-party vendors, especially in areas affecting information security and data privacy. A Red-Yellow-Green (RYG) scale provides a clear, straightforward way to categorize vendors based on the level of risk they pose.

Vendor Risk Assessment Process Overview

Objective: To systematically evaluate potential vendors on various risk parameters and classify them into Red (High Risk), Yellow (Moderate Risk), and Green (Low Risk) categories.

Scope: All new vendors or third-party service providers before formal engagement.

Pre-Assessment Phase

Vendor Identification: Departments seeking to engage new vendors should submit a Vendor Intake form (e.g., SaaS or Contract) detailing the intended service, data access needs, and any known security or privacy concerns.

Vendor Saas Intake Form: Develop a comprehensive audit covering security practices, data privacy, compliance with relevant regulations (e.g., GDPR, FERPA), business continuity plans, and previous security incidents. Include questions on subcontracting practices.Initial Screening: 

Initial Meeting

Meet with purchaser to conduct a preliminary review

Step 1: Information Gathering

Initial Meeting with Purchaser: Meet with Lehigh staff making the purchase with a goal of understanding what they are attempting to accomplish with this acquisition. Discuss risks that might arise and determine if the risk would be concerning to the purchaser or Lehigh. 

Step 2: Risk Evaluation & Scoring

Risk Domains: Evaluate responses within key risk domains, such as data security, privacy, legal and compliance, operational, and reputational risks.

Assign Scores: Based on responses and documentation, assign a score within each risk domain. Use predefined criteria to ensure consistency.

Aggregate Score: Calculate an overall risk score. Define thresholds for each RYG category.

Step 3: Color Code

Assign Color Codes: Based on the overall score, classify each vendor into the Red, Yellow, or Green category.

Red (High Risk): Requires senior management review and may necessitate additional controls, insurance, or may be declined.

Yellow (Moderate Risk): Acceptable with specific mitigations or controls in place.

Green (Low Risk): Meets the university's standard requirements with no additional controls needed.

Step 4: Collect Additional Information 

Based on determined risk category: Request and review any relevant certifications (e.g., ISO 27001, SOC 2) or audit reports.

Post-Assessment Phase

Decision Making

Approvals: Ensure that vendor engagements, especially those in the Red or Yellow categories, are approved by the appropriate level of management, including the Chief Information Security Officer (CISO)

Mitigation and Monitoring

Risk Mitigation Plans: For vendors in the Yellow category, develop and implement risk mitigation plans.

Continuous Monitoring: Establish a process for the ongoing monitoring of vendor performance and compliance, with periodic reassessments.

Documentation and Reporting

Record-Keeping: Maintain detailed records of all assessments, decisions, and justifications.

Reporting: Regularly report to senior management on vendor risk posture, including the distribution of vendors across the RYG scale and any outstanding risks.

Review and Update Process

Annual Review: Review and update the VRA process annually or as significant changes occur in regulatory requirements or university policies.

This process is designed to be adaptable, ensuring that the university can effectively manage vendor risks in a dynamic environment. By systematically assessing vendors and engaging those that meet the university's risk appetite, you can safeguard sensitive information and maintain compliance with regulatory requirements.

Step 5: Update Vendor Security Master Index Spreadsheet and notify CISO for Signoff 

After all information has been collected, reviewed, documented and justified via Vendor Security Master Index spreadsheet, the CISO will approve the vendor risk assessment for the fiscal year (e.g., Vendor Security Master Index Spreadsheet: https://docs.google.com/spreadsheets/d/1a7JXpmpj7zCdT7-nI5CgSt0cR2lYXkIm/edit?usp=sharing&ouid=113500674123469982229&rtpof=true&sd=true).

Related

Detail associated standards and guidances.

Revision History