Before a vendor or other third-party is given access to, provides maintenance of, or is involved in the creation of University data, UT System Administration must take steps to ensure that an assessment has been performed.
The assessment must ascertain the following:
- that the vendor has sufficient technological, administrative, and physical safeguards to ensure the confidentiality, security, and integrity of the data at rest and during any transmission or transfer; and
- that any subcontractor or other third-party that will access, maintain, or create data pursuant to the contract will also ensure the confidentiality, security, and Integrity of such data while it is at rest and during any transmission or transfer.
What do we assess?
The Information Security Office performs assessments of any software used by UT System Administration and for some Systemwide initiatives. We also assess service providers, including UT System contractors (either individual or organization).
Why is it necessary to assess vendors and other third-parties?
We assess software and service providers in order to be in compliance with UT System policy (UTS 165) and State policy (Texas Administrative Code 202). An increase in data breaches points to a lack of vendor security. Risks are much greater when we don't manage security controls. Performing security assessments is also a best practice.
When should I request a vendor risk assessment?
You should request an assessment before the decision is made to procure new software or services; or when you are renewing a contract/agreement for existing software or services. You should also request a new assessment if there are significant changes to the software or services being provided. For example: a previous installation of software was on premise but the new contract is for cloud-based software. In addition, you should request a new assessment for software and services that access, transmit, or create confidential data - if the previous assessment is more than one year old.
When is an assessment not required?
An assessment is not required if the software or service has had an assessment performed in the last two years and if the software or service does not require access to confidential data and if all recommendations from the previous assessment have been implemented (if applicable).
What about hardware, does it need to be assessed?
An assessment for a hardware purchase is only required if the hardware contains a software component that allows a login or authentication capability. For example: a firewall or an intrusion protection system.
Vendor Risk Assessment Form FAQs (login required)
Vendor Risk Assessment Presentation (login required)