What is a Vendor IT Risk Assessment?
A Vendor IT Risk Assessment is an evaluation process conducted to identify and mitigate potential risks associated with third-party vendors who interact with or hold the University of Montana’s data. This assessment ensures that vendors adhere to security protocols and maintain compliance with university policies and regulatory requirements.
When is it Required?
A Vendor IT Risk Assessment is required when:
- Engaging with new vendors who will access, store, process, or transmit Restricted or Confidential UM Data.
- Renewing agreements or contracts with existing vendors who handle Restricted or Confidential UM Data.
- Making significant changes to existing vendor services or introducing new services that impact UM’s IT infrastructure or data security.
- Integrating a data flow between UM Banner and the vendor.
When is it Not Required?
A Vendor IT Risk Assessment is not required when:
- The vendor services do not involve access to or handling of Restricted or Confidential UM data.
- The engagement is limited to purchasing standard, off-the-shelf products with no IT integration.
- The vendor is providing non-technical services with no impact on the university’s IT systems or UM Data.
How Do I Know if I'm Working with Sensitive or Protected Data?
Restricted or Confidential UM Data includes, but is not limited to:
- Personal Identifiable Information (PII)
- Health Information (e.g., HIPAA data)
- Financial Information (e.g., credit card details)
- Student Records (e.g., FERPA data)
- Proprietary or confidential research data
If your project involves any of the above data types, you are likely working with sensitive or protected data and should undergo a risk assessment. Contact the Data Steward for your sector or functional unit.
What Evidence May the Vendor Be Asked to Provide?
Vendors may be required to provide:
- Security policies and procedures
- HECVAT (higher-education cloud vendor self-assessment tool)
- HECVAT should be the most current version and completed within the last two years.
- Compliance certifications, such as a SOC2 Type 2
- A SOC2 is a third-party attestation that ensures that vendors have proper controls in place to protect sensitive information.
- Incident response plans
- Data protection agreements
- Third-party audit reports
- If the software is being updated to include AI integration, HECVAT v4 is required.
What are the HECVAT Requirements?
As of July 1st, 2025, and through Fiscal Year 2026, the Higher Education Community Vendor Assessment Tool (HECVAT) will need to be either v3.06 or v4. Additionally, any HECVATs that are over 2 years old will need to be updated to v4 to ensure compliance with the latest standards.
What should I do if my Vendor Requires a Non-Disclosure Agreement Before They Will Share Documents?
If your vendor requires a Non-Disclosure Agreement (NDA), please contact the UM’s Information Security Office to facilitate this process. The Chief Information Security Officer (CISO) will review and approve the NDA to ensure it meets the university’s standards and protects our interests.
What should I do if my Vendor is Unable to Provide Applicable Documentation?
If a vendor cannot provide the necessary documentation, it may impact their approval. Contact the University of Montana’s Information Security Office to discuss alternative solutions or additional controls that may be implemented to mitigate the risks associated with the lack of documentation.
Does an Assessment with Identified Risks Deny My Procurement Request?
An assessment with identified risks does not automatically deny your procurement request. Instead, it initiates a dialogue to understand the risks and determine if they can be mitigated through additional controls or contractual obligations. The final decision will consider the overall risk to the university.
How Does the Vendor IT Risk Assessment Fit in the Procurement Process?
The Vendor IT Risk Assessment is an integral part of the procurement process. It should be initiated early in the vendor selection process to identify potential risks before finalizing contracts. This assessment helps ensure that vendors meet the university’s security standards and regulatory requirements, thereby protecting the university’s data and IT infrastructure.
What Should I Keep in Mind About Privacy, Intellectual Property, and Generative AI?
Privacy: Ensure vendors comply with all relevant privacy laws and university policies regarding the handling of sensitive and protected data.
Intellectual Property: Clarify ownership and rights related to any intellectual property created or used during the vendor engagement.
Generative AI: Evaluate the implications of using generative AI technologies, including data privacy, accuracy, and ethical considerations. Ensure that vendors employing AI adhere to university guidelines and industry best practices.
For more information or assistance with the Vendor IT Risk Assessment, please contact the University of Montana’s IT Security Office at infosec-grc@umontana.edu