Third-Party Risk Management

To minimize the risk to UH System (UHS) data, a methodical approach is needed when engaging third parties for data storage, processing or outsourcing of university data. UHS Information Security provides this approach through its Third-Party Risk Management (TPRM) program.

The TPRM process applies to any university department or university business unit considering contracting with a third-party service for the purposes of storing, transmitting, processing, or collecting university data on behalf of the UHS.

In this process, the business unit looking to engage the third-party submits information about the proposed third-party, solution, and data involved. UHS Information Security reviews the submitted information and follows up with the business unit and/or third-party regarding any questions or concerns. The UHS Information Security review results in a formal TPRM report which summarizes what was reviewed, any findings or concerns, and recommendations for next steps. The final report is submitted back to the business unit and will be reviewed by the Office of Contracts Administration as the purchasing process continues.


Does the TPRM process apply to you?

If you are unsure whether you need to follow the TPRM process, answer the following questions.  If you answer YES to any of the questions below, you will need to request a TPRM report:

  • Are you transferring UHS data to a non-UHS owned system, such as a third-party cloud service?
  • Are you contracting with a third-party who will handle UHS data on your behalf?
  • Are you contracting with a third-party to collect data on behalf of UHS?
  • Are you contracting with a third-party to handle credit card payments for UHS?

If you have any questions regarding the TPRM process, please contact UHS Information Security at security@uh.edu.


Frequently Asked Questions

Q: How long does the TPRM process take?
A:  The length of the TPRM review depends on a number of things, such as what data is involved, the third-party’s responses/follow up, etc.  If the third-party will store Level 1 data, the process can take several weeks, possibly longer.

Q: What documentation needs to be included in my request?
A:  When submitting a request to purchase software, please include the following information:

  • Updated version of the Information Security Hosted Services Checklist (ISHCS ) found HERE
  • A Higher Education Community Vendor Assessment Tool (HECVAT) completed by the vendor

Q: How often does a vendor need to be reassessed?
A:  Currently, third-parties will be reassessed when one of the following occurs:

  • 24 months after the last successful review
  • The third-party is purchased by another third-party
  • The service undergoes significant changes

Q: I am purchasing a piece of software, a software license, or hardware that will be installed locally on a UHS network.  Do I need to go through the TPRM  process?
A:  If all data used with this purchase will reside locally you do not need to go through the TPRM process.

Q: The vendor requires a non-disclosure agreement (NDA) to be signed to release some of the information, how do I proceed?
A:  Submit the vendors NDA through the Office of Contract Administration for review.