Vendor Risk Management (VRM)


To minimize the risk to university data, the university needs to take a methodical approach when engaging third party service providers and cloud-based services for data storage, processing or outsourcing of university data. The Vendor Risk Management program (abbreviated VRM) is UCF Infosec’s answer to this need.

The VRM process applies to any university department or university business unit considering contracting with a third party service provider for the purposes of storing, transmitting, processing, or collecting university data on our behalf.

In this process, the service-seeking unit submits information about the proposed vendor, solution, and data involved. The Information Security Office (ISO) reviews this package and follows up with the service-seeking unit and/or vendor regarding any questions or concerns. The Information Security Office review results in a formal VRM Assessment report which summarizes what was reviewed, any findings/concerns, and recommendations. The report is reviewed and signed by the appropriate UCF business and data owners, and a signed copy with their signatures must be returned to the Information Security Office.

Submit a vendor for review using the Vendor Risk Management request in ServiceNow:

UCF Service-Now Portal
(Request a ServiceAccess and Security)

Resources


Document Title Description Download Link
Minimum Security Requirements Vendor initials each item and signs document to ensure UCF’s minimum security requirements are met. Vendor must explain any items they are not able to initial for. PDF (version 2017-11)
Third Party Data Security Assurance Questionnaire (SAQ)
Vendor completes questionnaire and signs. This questionnaire provides an in-depth look at the vendor’s information security posture. XSLX Spreadsheet (version 2018-01)
“Secure Handling of UCF Data” Security Rider
Vendor reviews and accepts these terms and integrates them into the contract, agreement, or SLA associated with the engagement. This ensures that UCF’s security and compliance requirements are outlined in legal terms. PDF (version 2017-08)

FAQ


Does the VRM program apply to my proposed vendor, program, or project?

If you answer YES to any of the following questions, your project needs a VRM review.

•Are you transferring data currently residing on a computer system owned by the University of Central Florida to a computer system not owned by the University of Central Florida?

•Are you contracting with a service provider who will create a web site or implement a system on behalf of the University of Central Florida to collect, process, or store university data?

•Are you contracting with a service provider to collect data that will later be transmitted for use by the University of Central Florida?

•Are you contracting with a service provider that will accept credit card payments on behalf of the University of Central Florida?

If you have any questions about the applicability of the Vendor Risk Management process, please do not hesitate to contact the Information Security Office.

What documentation do I need to include with my submission?

Consult the "Vendor Risk Management" request in ServiceNow, which outlines which documents need to be included depending on the data involved in the engagement.

Additional documentation may be requested by ISO over the course of the review.

Where does the Vendor Risk Management process fit in relation to General Counsel's legal review of contracts or agreements?

Ensure the Vendor Risk Management process is completed before submitting contracts/agreements to General Counsel's Cobblestone system. The VRM assessment report that is provided to you by the Information Security Office should be attached to your contract/agreement submission. UCF General Counsel uses the assessment report and ISO's feedback on the security language of any legal documents as part of their review.

When does a vendor need to be re-reviewed?

It is important to re-review a vendor whenever key parts of the engagement have changed. This can include:

•Any time the contract or agreement is changed or is up for renewal

•Any time the data that will be shared with the vendor changes (especially if the newly proposed data is classified at a higher level of restriction)

•see UCF Policy 4-008 at http://policies.ucf.edu/ for information on the classification of UCF Data

•Any time the means of data transfer changes, such as adding a connection to an on-premise UCF system

•Any time the vendor experiences a data- or security-related breach

 

Additionally, If you are unsure If a formal VRM review was ever performed on a vendor, please reach out to infosec@ucf.edu.

Who needs to sign the assessment?

ISO requires the VRM assessment report to be signed and returned by the UCF service-seeking unit. The signatures represent an acknowledgement of the findings and recommendations. The signatures do not have to wait on the actual completion of any recommendations. Additionally, there may be up to two signature fields - the UCF Business Unit and the UCF Data Owner.

UCF Business Unit - The service-seeking unit engaging directly with the vendor. This signature is always required.

UCF Data Owner - This is the person primarily responsible for the accuracy, privacy, and integrity of the data that is proposed to be shared with the vendor under reviewWhen the owner of the data differs from the service-seeking unit, ISO may require their signature acknowledging the potential risks and recommendations.
For example, if FERPA-protected data is involved, UCF's Registrar's Office may need to sign as data owner.
In both cases, the signees should be at a leadership/VP level empowered to accept risk on behalf of the unit.
Note: The vendor under review will never be required to sign the assessment report. Do not obtain vendor signatures as UCF Business Unit or Data Owner