|
OVERVIEW OF SERVICE
Per INFORMATION SECURITY REQUIREMENTS FOR INSTITUTIONAL INFORMATION HELD BY THIRD PARTIES all university departments engaging third-party service providers for any computing services for storing, processing, or transmitting of Institutional data are required to contact Information Security Office at tprm@drexel.edu to begin the security assessment. The process begins with the requester completing an initial "Vendor Information Gathering" form providing details about the services provided by the vendor. The Information Security Office (ISO) reviews the form and determines if a comprehensive security assessment will be required.
A comprehensive security assessment involves the vendor completing a security questionnaire, known as the Higher Education Community Vendor Assessment Toolkit, or HECVAT. This is the standard questionnaire used by higher education institutions to measure vendor risk and understand what security controls are in place to protect the Institutional data. To learn more about the HECVAT questionnaire, please visit the HECVAT page. To see if a solution provider has completed a HECVAT, please visit the HECVAT Community Broker Index.
In the final step, Information Security Office (ISO) highlights the level of risk from the vendor by providing a "risk rating" and summarizing risk findings with security recommendations in a formal Vendor Risk Assessment report.
TIMELINE
| Week 1 |
Information Security will review the initial assessment form to determine if a comprehensive assessment is required. |
| Week 2-3 |
For low risk engagements, Information Security will complete the assessment and send it to Compliance and Privacy for review. |
| Week 4 |
For medium and high risk engagements, the vendor will be asked to complete a detailed questionnaire and return it to Information Security for review. Information Security will complete its assessments and send it to Compliance and Privacy for review. |
Note: The comprehensive assessment timeline is completely depended on the time it takes to complete the detailed questionnaire and how quickly the vendor responds to follow-up questions and inquiries.
MINIMUM SECURITY REQUIREMENTS
Drexel University Information Security Office has developed a security checklist for third-party software and vendors. For more information, please visit our Minimum Viable Secure Product webpage.
GETTING STARTED
For questions regarding the form and security assessments, please contact Information Security, or submit a request here to get started.
|
AT A GLANCE
This service is Provided by the Information Security Office in response to a completed Initial Vendor Information Gathering Submission and involves the Vendor completion of a security questionnaire (known as the Higher Education Community Vendor Assessment Toolkit, or HECVAT) to measure vendor risk and understand what security controls are in place to protect the Institutional data.
Eligibility
Faculty, Professional Staff, Students.
Useful Links
Getting Started
Send the Security Questionnaire to the vendor for completion. Unsure what is sensitive information, see our knowledge articles:
Requesting Help
Submit a request here to get started.
|