Skip to main content

University of Houston System

  1. UH System
  2. Offices
  3. Information Security
  4. Cybersecurity Resources and Support
  5. Security Risk Assessment

Offices

Third-Party Risk Management

To minimize the risk to UH System (UHS) data, a methodical approach is needed when engaging third parties for data storage, processing or outsourcing of university data. UHS Information Security provides this approach through its Third-Party Risk Management (TPRM) program.

The TPRM process applies to any university department or university business unit considering contracting with a third-party service for the purposes of storing, transmitting, processing, or collecting university data on behalf of the UHS.

In this process, the business unit looking to engage the third-party submits a Vendor Security Assessment (VSA) request, which includes information about the proposed third-party, solution, and data involved.

UHS Information Security reviews the submitted information and follows up with the business unit and/or third-party regarding any questions or concerns. The UHS Information Security review results in a final report which summarizes what was reviewed, any findings or concerns, and recommendations for next steps. The final recommendation is submitted back to the business unit and will be reviewed by the Office of Contracts Administration as the purchasing process continues.

Does the TPRM process apply to you?

If you are unsure whether you need to follow the TPRM process, answer the following questions.  If you answer YES to any of the questions below, you will need to request a TPRM report:

  • Are you transferring UHS data to a non-UHS owned system, such as a third-party cloud service?
  • Are you contracting with a third-party who will handle UHS data on your behalf?
  • Are you contracting with a third-party to collect data on behalf of UHS?
  • Are you contracting with a third-party to handle credit card payments for UHS?

If you have any questions regarding the TPRM process, please contact UHS Information Security at security@uh.edu or visit https://infosec.uhsystem.edu.

List of Reviewed Software | Vendor Security Assessment (VSA)

Frequently Asked Questions

Q: What are the parts of the process?
A: There are two part of the new process, the Vendor Security Assessment (VSA) and the Vendor Risk Questionnaire (VRQ).

Q: What is the Vendor Security Assessment (VSA)?
A: VSA is the name of the process Information Security undertakes to assess a third party's information security practices.  This is done to ensure information security risk can be properly communicated to the stakeholders and help make risk based decisions.

Q: What is the Vendor Risk Questionnaire (VRQ)?
A: VRQ is the replacement for the old Information Security Hosted Services Checklist (ISHSC) that was used before the updated TPRM processes started.  The VRQ is a brief form that the business unit requesting to purchase a service completed and submits to Information Security to start the VSA process.

Q: How long does the VSA process take?
A:  The length of the VSA review depends on a number of things, such as what data is involved, the third-party’s responses/follow up, etc.  If the third-party has the necessary paperwork filled out, the process should be fairly fast.  If they do not, or this is a custom engagement,  the process could take longer.

Q: What documentation needs to be included in my request?
A:  When submitting a request to purchase software, please include the following information:

  • Complete a Vendor Risk Questionnaire (VRQ) in the Info Sec request portal
  • A Higher Education Community Vendor Assessment Tool (HECVAT) completed by the vendor (attach to the VRQ)

Q: How often does a vendor need to be reassessed?
A:  Currently, third-parties will be reassessed when one of the following occurs:

  • 24 months after the last successful review
  • The third-party is purchased by another third-party
  • The service undergoes significant changes

Q: I am purchasing a piece of software, a software license, or hardware that will be installed locally on a UHS network.  Do I need to go through the TPRM  process?
A:  If all data used with this purchase will reside locally you do not need to go through the TPRM process.

Q: The vendor requires a non-disclosure agreement (NDA) to be signed to release some of the information, how do I proceed?
A:  Submit the vendors NDA through the Office of Contract Administration for review.