UM Vendor Risk Management Standard

 

   
Issued Under Authority of UM Information Security Policy
Responsible Office UM Information Security Office
Category Asset and Acquisition Management

IN PLAIN LANGUAGE

This standard helps the University manage the risks that come with using third-party vendors and online services. Any vendor that stores, processes, or has access to University Data — including cloud services and free or low-cost tools — must be reviewed to ensure they meet basic security and privacy expectations. The review process scales with risk, so higher-risk vendors receive more scrutiny. This protects the University, our students, and our data while allowing departments to use external tools responsibly and with clear approval.

1. Purpose

The purpose of this Standard is to establish minimum, risk-based requirements for assessing, approving, and managing information security risks associated with third-party vendors and service providers. Effective vendor risk management protects University Data, supports compliant procurement, and reduces exposure to cybersecurity, privacy, and operational risks throughout the vendor lifecycle.

This Standard aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 and supports the University's Information Security Program.

2. Scope

This Standard applies to all third-party vendors, service providers, and partners that:

  • Store, process, transmit, or have access to University Data
  • Integrate with University systems, applications, or identity services
  • Provide cloud, hosted, or software-as-a-service (SaaS) solutions for University business
  • Are used institutionally, including no-cost or freemium services

This Standard applies to new procurements, renewals, and material changes to existing vendor relationships, regardless of funding source or procurement method.

3. Roles and Responsibilities

3.1 Chief Information Security Officer (CISO)

The CISO is responsible for:

  • Establishing and maintaining this Standard
  • Approving vendor risk assessment outcomes and exceptions
  • Exercising authority to approve, conditionally approve, delay, or deny vendor use based on security risk
  • Escalating material vendor risks to executive leadership

3.2 Information Security Office (ISO)

The Information Security Office is responsible for:

  • Operating the vendor risk assessment capability
  • Conducting security reviews and due diligence
  • Coordinating with Data Stewards, Legal Counsel, Procurement, and other stakeholders
  • Documenting risk findings and recommendations

3.3 Procurement and Business Units

Procurement staff and requesting units are responsible for:

  • Initiating vendor risk assessment prior to procurement or contract execution
  • Providing accurate and complete information about vendor use cases and data handling
  • Complying with approval conditions and remediation requirements

4. Vendor Risk Assessment Triggers

A vendor risk assessment is required when a vendor:

  • Stores, processes, or transmits University Data
  • Integrates with University identity systems (e.g., SSO, provisioning)
  • Provides cloud, hosted, or SaaS services used for University business
  • Is provided at no cost but used institutionally
  • Handles Restricted (Moderate Risk) or Confidential (High Risk) Data, even for a single department

5. Risk-Based Assessment Model

Vendor risk assessments must be conducted using a tiered, risk-based approach based on data classification, hosting model, and system integration.

5.1 Assessment Types

Full Vendor Risk Assessment — Required for vendors presenting higher risk due to data sensitivity, cloud hosting, or system integration.

Partial Vendor Risk Assessment — Required for vendors presenting lower risk or limited data exposure.

Amended Vendor Risk Assessment — Used for low-risk scenarios or approved exception cases.

Assessment depth and documentation requirements scale with risk.

6. Assessment Methods and Documentation

6.1 Default Assessment Tools

  • The Higher Education Community Vendor Assessment Tool (HECVAT) is the default assessment instrument
  • SOC 2 Type II or equivalent third-party assurance reports may be accepted where appropriate
  • Additional documentation may be required based on risk or regulatory considerations

6.2 Documentation Expectations

Vendors may be required to provide:

  • Completed security assessment questionnaires
  • Independent audit or assurance reports
  • Security and privacy policies
  • Incident response and business continuity documentation

7. Approval, Conditions, and Exceptions

7.1 Approval Outcomes

Vendor risk assessments may result in approval, conditional approval with required mitigations, delay pending additional information or remediation, or denial based on unacceptable risk.

7.2 Exceptions

Exceptions to assessment requirements may be granted on a case-by-case basis when justified by risk.

  • Exceptions must be documented
  • Compensating controls must be identified where applicable
  • All exceptions require CISO approval

8. Contractual and Legal Requirements

Contracts with vendors that handle University Data must include security provisions addressing:

  • Data protection and confidentiality
  • Incident and breach notification
  • Cooperation with investigations and audits
  • Termination rights for security non-compliance

9. Ongoing Monitoring and Reassessment

  • Higher-risk vendors must undergo periodic reassessment
  • Reassessment is required upon renewal, material change, or security incident
  • Vendor security posture must be monitored throughout the relationship lifecycle

10. Incident Notification and Response

Vendors must:

  • Notify the University promptly of security incidents affecting University Data
  • Cooperate with investigations, containment, and remediation activities
  • Provide relevant evidence or documentation as requested

Vendor incident response obligations must align with the University Incident Response Standard.

11. Enforcement and Risk Response

When vendor security requirements are not met and no approved exception exists:

  • Additional controls or restrictions may be imposed
  • Vendor services may be suspended or terminated
  • Risk may be escalated to appropriate management or executive leadership

12. Review and Maintenance

This Standard must be reviewed at least annually and updated as necessary to reflect changes in risk, technology, regulatory requirements, or institutional processes.

13. References

  • UM Information Security Policy
  • UM Vulnerability Management Standard
  • UM Endpoint Management & Configuration Standard
  • UM Audit Log Management Standard
  • UM Cloud Computing Security Standard
  • NIST Cybersecurity Framework (CSF) 2.0
  • Center for Internet Security (CIS) Benchmarks
  • Montana University System BOR Policy 1300
Print Article