To minimize the risk to university data, the university needs to take a methodical approach when engaging third party service providers and cloud-based services for data storage, processing or outsourcing of university data. The Vendor Risk Management program (abbreviated VRM) is UCF Infosec’s answer to this need.

The VRM process applies to any university department or university business unit considering contracting with a third party service provider for the purposes of storing, transmitting, processing, or collecting university data on our behalf.

In this process, the service-seeking unit submits information about the proposed vendor, solution, and data involved. The Information Security Office (ISO) reviews this package and follows up with the service-seeking unit and/or vendor regarding any questions or concerns. The Information Security Office review results in a formal VRM Assessment report which summarizes what was reviewed, any findings/concerns, and recommendations. The report is reviewed and signed by the appropriate UCF business and data owners, and a signed copy with their signatures must be returned to the Information Security Office.

QUICK links

SERVICE_NOW TICKET

UCF PROCESS DOCUMENTS

LINK	DESCRIPTION
VRM Standards	Review 120 VRM Standard for specific guidance on Unrestricted, Restricted, or Highly Restricted VRMs and the process for each.
Vendor inventory list	This is a list of all vendors that have been approved by ISO to meet 120 VRM Standards. To avoid duplication of vendors for similar use cases, UCF units should consult the Vendor Inventory list to ensure there isn't an existing solution for their use case that meets these standards and is already in use at UCF.

UCF PROCESS DOCUMENTS

VRM Standards

Review 120 VRM Standard for specific guidance on Unrestricted, Restricted, or Highly Restricted VRMs and the process for each.

Vendor inventory list

This is a list of all vendors that have been approved by ISO to meet 120 VRM Standards. To avoid duplication of vendors for similar use cases, UCF units should consult the Vendor Inventory list to ensure there isn't an existing solution for their use case that meets these standards and is already in use at UCF.

VENDOR DOCUMENTS

LINK	DESCRIPTION
"Secure Handling of UCF Data” Agreement	Vendor reviews and accepts these terms and integrates them into the contract, agreement, or SLA associated with the engagement. This ensures that UCF’s security and compliance requirements are outlined in legal terms.
HECVAT	Vendor evaluates this questionnaire. The “Higher Education Cloud Vendor Assessment Tool” is an industry-standard questionnaire that assists in understanding a Vendor's security posture.
PCI ADDENDUM	For vendors that may store, process, transmit or can impact the security of cardholder data, this addendeum clarifies the PCI responsibilities between the vendor and UCF.

VENDOR DOCUMENTS

"Secure Handling of UCF Data” Agreement

Vendor reviews and accepts these terms and integrates them into the contract, agreement, or SLA associated with the engagement. This ensures that UCF’s security and compliance requirements are outlined in legal terms.

HECVAT

Vendor evaluates this questionnaire. The “Higher Education Cloud Vendor Assessment Tool” is an industry-standard questionnaire that assists in understanding a Vendor's security posture.

PCI ADDENDUM

For vendors that may store, process, transmit or can impact the security of cardholder data, this addendeum clarifies the PCI responsibilities between the vendor and UCF.

Frequently asked questions

Click-through contracts checklist: What are the requirements for click-through agreements for proposals involving UCF data?

Will the third party/vendor proposing this click-through agreement have access to, store, transmit, process, or collect any UCF data on our behalf?
1. If yes, please go to Question 2.
2. If no UCF data is involved at all, please proceed with the click through.
Please refer to UCF Policy 4-008 and classify the data involved as Unrestricted, Restricted, or Highly Restricted Data.
1. If the data involved is either Restricted or Highly Restricted, go to Number 3.
2. if the data is Unrestricted, please go to Number 4.
If Restricted data or Highly Restricted data is involved, do the following:
- A click through agreement alone is not acceptable. Engage the vendor to create a formal, mutually executed (signed by both parties) agreement that contains the Secure Handling of UCF Data agreement.
- Submit a Vendor Risk Management request to the Information Security Office for review via the ServiceNow link above.
If Unrestricted data is involved…
- Review the agreement and verify that it has basic security language. Consult the FAQ item “What should be included in the final contract or agreement?” below for guidance on what should be present for Unrestricted Data.
- Proceed with the click through.

Does the VRM program apply to my proposed vendor, program, or project?

If you answer YES to any of the following questions, your project needs a VRM review.

Are you transferring data currently residing on a computer system owned by the University of Central Florida to a computer system not owned by the University of Central Florida?
Are you contracting with a service provider who will create a web site or implement a system on behalf of the University of Central Florida to collect, process, or store university data?
Are you contracting with a service provider to collect data that will later be transmitted for use by the University of Central Florida?
Are you contracting with a service provider that will accept credit card payments on behalf of the University of Central Florida?

If you have any questions about the applicability of the Vendor Risk Management process, please do not hesitate to contact the Information Security Office.

How do contracts and agreements factor into the VRM process?

The contractual language and agreements associated with a vendor or other third party are critical to managing risk to university data and an essential part of the VRM review process.
A formal and signed agreement between the UCF unit and the vendor or other third party is necessary and required before the service or software can be used and before any UCF data can be exposed to or accessed by the vendor. Per UCF Policy 4-014, “click-through” agreements, including, but not limited to EULAs, must be submitted to the UCF General Counsel’s Office for legal review, just like other agreements.
Per UCF Policy 4-014, any contract or business agreement with a vendor should incorporate a number of items in order to reduce the risk to UCF. To this end, for engagements involving restricted and highly restricted data:

The “Secure Handling of UCF” Agreement must be signed by the vendor and included in the final set of agreements.
Any edits or redlines to the “Secure Handling of UCF Data” Agreement, or any data or security-related edits to the contract in general, must be jointly reviewed by UCF Infosec and the UCF General Counsel’s Office prior to acceptance and execution.
NO contract shall be executed until an acceptable agreement has been negotiated between UCF and the other party/vendor, reviewed and approved by the UCF General Counsel’s Office, and a VRM assessment report is provided to the UCF unit and signed by UCF unit leadership.
In cases where there is no formal agreement (such as only having a PO), the “Secure Handling of UCF” Agreement must be executed and attached.

How long does the VRM process take?

The length of the VRM process depends on a number of factors, including what data is involved, the vendor’s responses and follow-up, and contractual language needed. Typically, when highly restricted or restricted data is involved in the proposed engagement, a period of several weeks is needed but can be longer. Note that a key part of the VRM process is ensuring that contracts and agreements contain agreeable language from a data security and compliance point of view. If the vendor disagrees with terms of the Secure Handling of UCF Data Agreement, the interactions with a vendor’s legal team and the general process of modifying contracts and agreements in tandem with UCF General Counsel may add significant time to the process before a VRM Assessment Report can be provided. ISO needs to perform our due care and diligence to minimize the risk to UCF data shared with vendors. Please submit a VRM request as early as possible in the procurement process to ensure ISO has enough time to review the vendor.

I am making an IT purchase like a piece of software, a software license, or computer hardware that would be installed within a UCF network. Do I need to go through the VRM process?

If the data involved in your work on the software or hardware is not being stored, transmitted, processed, or accessed by the vendor you are purchasing from, it does not need to be submitted for VRM review.

However, if the piece of technology works in such a way that the vendor would store or process UCF data, it should be submitted for VRM review.

Regardless, ensure you are still following purchasing and procurement procedures for your unit and the university (such as Intent To Negotiate/ITN, Information Resource Request/IRR etc) where applicable.

Examples of items that do not require VRM review:

Local software that is installed on a desktop machine where the data is stored on a UCF-owned workstation or server
Software or platforms that will be installed in UCF-owned Infrastructure environments (e.g. Datasite orlando, Azure) and that will not transmit the data to any third parties
computer hardware (servers, switches, monitors, desktops, laptops, etc) as long as they will be UCF owned and deployed within a UCF-owned envioronment (Datasite orlando, Azure)

Examples of items that do require VRM review:

a file transfer tool that sends data through a third party server before reaching the destination file storage software that connects to a third party cloud storage service

What documentation do I need to include with my submission?

In order for the Information Security Office to begin a review, some documents should be included with your attached to your submission to ServiceNow. Without these documents, ISO cannot begin a review. To avoid delays, it is up to the UCF unit to collect these documents from the vendor prior to submission. The documents that need to be included depend on the UCF data that is proposed to be shared with the vendor. More sensitive types of data represent a higher level of risk and thus necessitate more thorough documentation from the vendor. The table below breaks down the documents required for each type of UCF data:

Data Type	Required Documents for ISO Review	May be needed upon ISO request:
Highly Restricted	Industry-Standard Audit Report. The following reports are acceptable: SOC2 Type 2 or SOC3 report Audit reports against ISO27001, NIST 800-171 or similar industry standard HECVAT Proof of Cybersecurity Insurance Signed Secure Handling of UCF Data Agreement	Data Flow Diagram
– including PCI	PCI Attestation of Compliance (AoC) SOC2 Type 2 or SOC3 reports	PCI Responsibility Matrix Cardholder Data Flow Diagram
Restricted	Signed Secure Handling of UCF Data Agreement	HECVAT may be requested depending on vendor’s security posture
Unrestricted	No submission needed. See 120 VRM Standard.

What should be included in the final contract or agreement?

The data involved determines what should be included in the final contract or agreement:

Data Involved	Include with contract:
Highly Restricted Data	Secure Handling of UCF Data Agreement
including PCI Data	PCI Addendum
including HIPAA Data	HIPAA-compliant Business Associates Agreement (BAA)
Restricted Data	Secure Handling of UCF Data Agreement
Unrestricted	Should contain sections relating to: Data Re-use: Agreement must state that UCF data must only be used for the intended purposes outlined in the agreement. See Secure Handling of UCF Data section 3.2 for example language. End of Agreement:Agreement must state that at the end of the agreement, data will be returned to the UCF unit and purged from the vendor’s infrastructure. See Secure Handling of UCF Data section 3.6 for example language. Data Breach: Agreement must state that vendor agrees to notify the UCF unit in the event of a breach of UCF data.

When does a vendor need to be re-reviewed?

It is important to re-review a vendor whenever key parts of the engagement have changed. This can include:

Any time the contract or agreement is changed or is up for renewal
Any time the data that will be shared with the vendor changes (especially if the newly proposed data is classified at a higher level of restriction)
- See UCF Policy 4-008 at http://policies.ucf.edu/ for information on the classification of UCF Data
Any time the means of data transfer changes, such as adding a connection to an on-premise UCF system
Any time the vendor experiences a data- or security-related breach

Who needs to sign the Assessment Report?

ISO requires the VRM assessment report to be signed and returned by the UCF service-seeking unit. The signatures represent an acknowledgement of the findings and recommendations. The signatures do not have to wait on the actual completion of any recommendations. Additionally, there may be up to two signature fields – the UCF Business Unit and the UCF Data Owner.

UCF Business Unit – The service-seeking unit engaging directly with the vendor. This signature is always required.

UCF Data Owner – This is the person primarily responsible for the accuracy, privacy, and integrity of the data that is proposed to be shared with the vendor under review. When the owner of the data differs from the service-seeking unit, ISO may require their signature acknowledging the potential risks and recommendations.

For example, if FERPA-protected data is involved, UCF’s Registrar’s Office may need to sign as data owner.

In both cases, the signees should be at a leadership/VP level empowered to accept risk on behalf of the unit.

Note: The vendor under review will never be required to sign the assessment report. Do not obtain vendor signatures as UCF Business Unit or Data Owner