Vendor Risk Assessments

Before a vendor or other third-party is given access to, is involved in the creation of, or provides maintenance of university data, UT System Administration is required by policy (UTS 165) to ensure that a security risk assessment has been performed of the products and/or services provided by the vendor. In addition, legislation passed during the 87th Legislative Session amended Texas Government Code to require state agencies who enter or renew contracts to receive cloud computing services to comply with TX-RAMP requirements beginning January 1, 2022. TX-RAMP is a framework that provides a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.

The security assessment must ascertain the following:

  • that the vendor has sufficient technological, administrative, and physical safeguards to ensure the confidentiality, security, and integrity of the data at rest and during any transmission or transfer; and
  • that any subcontractor or other third-party that will access, maintain, or create data pursuant to the contract will also ensure the confidentiality, security, and Integrity of such data while it is at rest and during any transmission or transfer.


Minimum Security Requirements

Request a Vendor Risk Assessment (ISOTRAQ)



What do we assess?

The Information Security Office performs assessments of any software used by UT System Administration and for some Systemwide initiatives.  We also assess service providers, including UT System contractors (either individual or organization).

Why is it necessary to assess vendors and other third-parties?

We assess software and service providers in order to be in compliance with UT System policy (UTS 165) and State policy (Texas Administrative Code 202). An increase in data breaches points to a lack of vendor security. Risks are much greater when we don't manage security controls. Performing security assessments is also a best practice.

When should I request a vendor risk assessment?

You should request an assessment before the decision is made to procure new software or services; or when you are renewing a contract/agreement for existing software or services. You should also request a new assessment if there are significant changes to the software or services being provided. For example: a previous installation of software was on premise but the new contract is for cloud-based software. In addition, you should request a new assessment for software and services that access, transmit, or create confidential data - if the previous assessment is more than one year old.

When is an assessment not required?

An assessment is not required if the software or service has had an assessment performed in the last two years and if the software or service does not require access to confidential data and if all recommendations from the previous assessment have been implemented (if applicable).

What about hardware, does it need to be assessed?

An assessment for a hardware purchase is only required if the hardware contains a software component that allows a login or authentication capability. For example: a firewall or an intrusion protection system.