Every endeavor at Vanderbilt that involves university systems or data inherently incurs some risk to Vanderbilt – from taking on a new research project to purchasing a new piece of software for everyday work. In cases where the risk is unknown, or sufficiently concerning, the Office of Cybersecurity performs an assessment to quantify the risk and to provide recommendations about how to reduce that risk. These assessments fall into two categories: Third-Party or Internal.
Third-Party Risk Assessments
A third-party is any external individual or organization that may provide products, services, or collaboration with VU. In cases where a third-party is providing a service to Vanderbilt or has access to Vanderbilt systems or data, the Office of Cybersecurity may conduct a third-party risk assessment.
The purpose of the assessment is to identify the risk(s) associated with outsourcing security responsibility to the third-party. These risks are heavily dependent on factors like the sensitivity of data being shared, the business criticality of the system being accessed, and/or the importance of the service being outsourced.
Ultimately, the risk assessment identifies applicable risks and threats and makes recommendation(s) on how to remediate or mitigate (e.g., whether to continue purchasing or using the service offered by the third party).
Internal Risk Assessments
Internal risk assessments focus on something contained entirely within Vanderbilt’s ecosystem. This could be Vanderbilt-originated software, Vanderbilt-hosted third-party software solutions, or internal work involving sensitive data.
The purpose of this assessment is to ensure that Vanderbilt policy and industry best practices are followed as closely as possible. The goal here is to allow Vanderbilt community members to pursue their work and studies as intended while maintaining an environment that is as low risk as possible.
While the focus of the assessments is slightly different, the process and outcome are the same. They should make the risk of a given course of action understandable to any Vanderbilt community member involved and include recommendations on how to best remediate or mitigate that risk.
Third-Party Risk Assessment:
- When purchasing or subscribing to cloud software (e.g., Software as a Service).
- When implementing new network-connected hardware.
- When external contractors or collaborators need access to Vanderbilt systems or data.
Internal Risk Assessment:
- To evaluate internal systems and processes involving sensitive data.
- When implementing Vanderbilt-hosted third-party software.
- When developing Vanderbilt-originated software.
If you are not sure about the need for an assessment, reach out to your area’s Relationship Manager for assistance.
Open a new request by filling out a Vendor Risk Assessment Form. Contact your area’s Relationship Manager if you need assistance in getting a request submitted.
Not sure how to start?
Get in touch if you don’t know where to begin, you can’t find the guidance needed on the website, or if you just want to learn more. The Office of Cybersecurity has subject matter expertise and is here for Vanderbilt community to discuss security questions or concerns.