Submitting Vendors for Security Review

When do your vendors need to be reviewed?

Contributed by the Infosec Compliance Team

Wondering when a vendor needs to be reviewed? The ITS Information Security Compliance Team has you covered.

Ask yourself these questions to determine the correct steps to take in the submission process!

How does the vendor handle UVA's data?

If they: 

  • Process data in the cloud AND/OR
  • Store data in the cloud AND/OR
  • Transmit data in the cloud or for mission-critical software

Then they need to be submitted for a security review!

Why Vendor Security Reviews?

Vendor Security Reviews act as third-party risk management that reduces the risk of inadvertent or unauthorized exposure of UVA's most sensitive data. These are not a new requirement--security reviews were previously in One Trust, and are now in Isora.

What is data sensitivity?

Highly Sensitive Data (HSD) refers to information that is valuable and requires a higher level of protection. Examples of HSD include SSN, driver's license, passport number, protected health information (PHI), personal banking, debit, or credit account information. 

How critical is the service provided by the vendor?

A University mission-critical system is any factor (e.g., component, equipment, personnel, process, procedure, software, server) that is essential to a business operation or a unit. When a mission-critical system fails or is interrupted, business operations are significantly impacted. It is indispensable to continuing operations. These vendors need to be reviewed, no matter the data sensitivity type.

If it's a cloud vendor handling HSD or providing mission-critical service, you need to have your vendor reviewed.

Once you have determined a review is required, remember: 

Required documentation:

  • SOC 2 Type II Report: A detailed audit report verifying a vendor's controls for security, availability, processing integrity, confidentiality, and privacy. Must be dated within six months of the request or include a bridge letter to cover gaps. (A bridge letter is a document confirming that no significant changes have occurred in a vendor's control environment since the most recent SOC 2 report).

-AND-

  • HECVAT (Higher Education Community Vendor Assessment Toolkit): A standardized questionnaire used to assess a vendor's security and compliance posture. A completed HECVAT can be uploaded directly to Isora, or the HECVAT question set can be answered manually in Isora. 

Frequency of reviews:

  • Annually 

-OR WHEN-

  • New Business Case: For sharing data, business purposes, or contracts, ensure review before procurement or implementation.

For more information on Information Security's Vendor Security Review Standard, click here. For more information on University Data Protection Standards, click here