Submitting an IT Security Assessment creates a request to be approved by the Chief Information Security Officer (CISO). You will be notified when the request is updated and when an approval status is made. Results are also shared with the office of Enterprise Risk Management (ERM) to determine the type and amount (if any) IT/Cybersecurity insurance is required.*Before you purchase a third-party solution, be sure to read the IT Contract Review page
As part of the IT Contract Review Protocol and the URI Standard on Approval and Execution of Contracts and Other Binding Documents, IT Security Services conducts IT Security Assessments / Reviews of Third-Party Service Providers. URI colleges, departments and business units sometimes contract for data services with outside parties or service providers; of concern are those circumstances where service providers process or hold University data. While URI has taken steps to help ensure that its data is protected, service providers must also exercise appropriate controls to minimize the risk of exposing the data to potential unauthorized access and loss.
URI provides a Third-Party Service Provider Security Assessment to:
- Establish communications and promote constructive dialogue between URI and the potential service provider.
- Help identify business, technical, security, compliance, legal, and other control factors.
- Determine the level of risk inherent to the processing of data beyond the University’s physical controls.
Why IT Security Assessments?
- Improved risk management. Understanding where third-party and fourth-party risks sit after categorizing all your suppliers in your TPRM (Third Party Risk Management) program. Suppliers should be classified as low, medium, or high risk so that the VRM (Vendor Risk Management) program can concentrate on medium- and high-risk vendors.
- Protected Data. Where the University’s “Sensitive” and/or “Restricted” data is held or processed by a service provider, there is a potentially higher risk where unauthorized access or loss occurs.
- Expense reduction. Your TPRM program will improve the efficiency of your vendor management operations by standardizing processes. Risk management will limit the incidence of costly unanticipated events.
- Business compliance. Government authority’s fine businesses that fail to handle third parties properly. Regulators consider vendors to be an extension of a business’s ecosystem, and a violation can result in sanctions for both the corporation and the vendor. URI is subject to several federal and state information security mandates such as GLBA (Gramm-Leach-Bliley Act) and the FTC Safeguards Rule, PCI DSS (Payment Card Industry Data Security Standards), HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Protection Data Regulation).
If you require additional information please contact the IT Service Desk.
Connect with the Service Desk