Skip to main content

University of Houston System

  1. UH System
  2. Offices
  3. Information Security
  4. Cybersecurity Resources and Support
  5. Security Risk Assessment

Offices

Third-Party Risk Management

To minimize the risk to UH System (UHS) data, a methodical approach is needed when engaging third parties for data storage, processing or outsourcing of university data. UHS Information Security provides this approach through its Third-Party Risk Management (TPRM) program.

The TPRM process applies to any university department or university business unit considering contracting with a third-party service for the purposes of storing, transmitting, processing, or collecting university data on behalf of the UHS.

In this process, the business unit looking to engage the third-party submits a Vendor Security Assessment (VSA) request, which includes information about the proposed third-party, solution, and data involved.

UHS Information Security reviews the submitted information and follows up with the business unit and/or third-party regarding any questions or concerns. The UHS Information Security review results in a final report which summarizes what was reviewed, any findings or concerns, and recommendations for next steps. The final recommendation is submitted back to the business unit and will be reviewed by the Office of Contracts Administration as the purchasing process continues.

Does the TPRM process apply to you?

If you are unsure whether you need to follow the TPRM process, answer the following questions.  If you answer YES to any of the questions below, you will need to request a TPRM report:

  • Are you transferring UHS data to a non-UHS owned system, such as a third-party cloud service?
  • Are you contracting with a third-party who will handle UHS data on your behalf?
  • Are you contracting with a third-party to collect data on behalf of UHS?
  • Are you contracting with a third-party to handle credit card payments for UHS?

If you have any questions regarding the TPRM process, please contact UHS Information Security at security@uh.edu or visit https://infosec.uhsystem.edu.

List of Reviewed Software | Vendor Security Assessment (VSA)

Frequently Asked Questions​

A: There are two part of the new process, the Vendor Security Assessment (VSA) and the Vendor Risk Questionnaire (VRQ).
A: VSA is the name of the process Information Security undertakes to assess a third party's information security practices.  This is done to ensure information security risk can be properly communicated to the stakeholders and help make risk based decisions.
A: VRQ is the replacement for the old Information Security Hosted Services Checklist (ISHSC) that was used before the updated TPRM processes started.  The VRQ is a brief form that the business unit requesting to purchase a service completed and submits to Information Security to start the VSA process.
 A:  The length of the VSA review depends on a number of things, such as what data is involved, the third-party’s responses/follow up, etc.  If the third-party has the necessary paperwork filled out, the process should be fairly fast.  If they do not, or this is a custom engagement,  the process could take longer.

A:  When submitting a request to purchase software, please include the following information:

  • Complete a Vendor Risk Questionnaire (VRQ) in the Info Sec request portal
  • A Higher Education Community Vendor Assessment Tool (HECVAT) completed by the vendor (attach to the VRQ)

A:  Currently, third-parties will be reassessed when one of the following occurs:

  • 24 months after the last successful review
  • The third-party is purchased by another third-party
  • The service undergoes significant changes

A:  If all data used with this purchase will reside locally you do not need to go through the TPRM process.

A:  Submit the vendors NDA through the Office of Contract Administration for review.